qxl-render: fix race condition in qxl_curs...

Peter Maydell via Qemu-commits Fri, 08 Apr 2022 07:08:56 -0700

  Branch: refs/heads/master
  Home:   https://github.com/qemu/qemu
  Commit: 9569f5cb5b4bffa9d3ebc8ba7da1e03830a9a895
      
https://github.com/qemu/qemu/commit/9569f5cb5b4bffa9d3ebc8ba7da1e03830a9a895
  Author: Mauro Matteo Cascella <mcasc...@redhat.com>
  Date:   2022-04-07 (Thu, 07 Apr 2022)


  Changed paths:
    M hw/display/qxl-render.c

  Log Message:
  -----------
  display/qxl-render: fix race condition in qxl_cursor (CVE-2021-4207)

Avoid fetching 'width' and 'height' a second time to prevent possible
race condition. Refer to security advisory
https://starlabs.sg/advisories/22-4207/ for more information.

Fixes: CVE-2021-4207
Signed-off-by: Mauro Matteo Cascella <mcasc...@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lur...@redhat.com>
Message-Id: <20220407081106.343235-1-mcasc...@redhat.com>
Signed-off-by: Gerd Hoffmann <kra...@redhat.com>


  Commit: fa892e9abb728e76afcf27323ab29c57fb0fe7aa
      
https://github.com/qemu/qemu/commit/fa892e9abb728e76afcf27323ab29c57fb0fe7aa
  Author: Mauro Matteo Cascella <mcasc...@redhat.com>
  Date:   2022-04-07 (Thu, 07 Apr 2022)

  Changed paths:
    M hw/display/qxl-render.c
    M hw/display/vmware_vga.c
    M ui/cursor.c

  Log Message:
  -----------
  ui/cursor: fix integer overflow in cursor_alloc (CVE-2021-4206)

Prevent potential integer overflow by limiting 'width' and 'height' to
512x512. Also change 'datasize' type to size_t. Refer to security
advisory https://starlabs.sg/advisories/22-4206/ for more information.

Fixes: CVE-2021-4206
Signed-off-by: Mauro Matteo Cascella <mcasc...@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lur...@redhat.com>
Message-Id: <20220407081712.345609-1-mcasc...@redhat.com>
Signed-off-by: Gerd Hoffmann <kra...@redhat.com>


  Commit: dde8689d1fe82e295a278ba4bf1abd9be5c7bcab
      
https://github.com/qemu/qemu/commit/dde8689d1fe82e295a278ba4bf1abd9be5c7bcab
  Author: Peter Maydell <peter.mayd...@linaro.org>
  Date:   2022-04-08 (Fri, 08 Apr 2022)

  Changed paths:
    M hw/display/qxl-render.c
    M hw/display/vmware_vga.c
    M ui/cursor.c

  Log Message:
  -----------
  Merge tag 'fixes-20220408-pull-request' of git://git.kraxel.org/qemu into 
staging

two cursor/qxl related security fixes.

# gpg: Signature made Fri 08 Apr 2022 05:37:16 BST
# gpg:                using RSA key A0328CFFB93A17A79901FE7D4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kra...@redhat.com>" [full]
# gpg:                 aka "Gerd Hoffmann <g...@kraxel.org>" [full]
# gpg:                 aka "Gerd Hoffmann (private) <kra...@gmail.com>" [full]
# Primary key fingerprint: A032 8CFF B93A 17A7 9901  FE7D 4CB6 D8EE D3E8 7138

* tag 'fixes-20220408-pull-request' of git://git.kraxel.org/qemu:
  ui/cursor: fix integer overflow in cursor_alloc (CVE-2021-4206)
  display/qxl-render: fix race condition in qxl_cursor (CVE-2021-4207)

Signed-off-by: Peter Maydell <peter.mayd...@linaro.org>


Compare: https://github.com/qemu/qemu/compare/95a3fcc7487e...dde8689d1fe8

[Qemu-commits] [qemu/qemu] 9569f5: display/qxl-render: fix race condition in qxl_curs...

Reply via email to