On 01/05/2010 10:43 PM, Roland Dreier wrote:
Check that the cursor dimensions passed from the guest for the
DEFINE_CURSOR command don't overflow the available space in the
cursor.image[] or cursor.mask[] arrays before copying data from the
guest into those arrays.
Signed-off-by: Roland Dreier<rola...@cisco.com>
Applied. Thanks.
Regards,
Anthony Liguori
---
Hi Anthony,
as far as I can tell this seems to have slipped through the cracks. I
think this is fairly important: it is a guest-triggerable stack smashing
attack in the worst case.
Thanks,
Roland
hw/vmware_vga.c | 7 +++++++
1 files changed, 7 insertions(+), 0 deletions(-)
diff --git a/hw/vmware_vga.c b/hw/vmware_vga.c
index 7ab1c79..5e969ae 100644
--- a/hw/vmware_vga.c
+++ b/hw/vmware_vga.c
@@ -562,6 +562,13 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
cursor.height = y = vmsvga_fifo_read(s);
vmsvga_fifo_read(s);
cursor.bpp = vmsvga_fifo_read(s);
+
+ if (SVGA_BITMAP_SIZE(x, y)> sizeof cursor.mask ||
+ SVGA_PIXMAP_SIZE(x, y, cursor.bpp)> sizeof cursor.image) {
+ args = SVGA_BITMAP_SIZE(x, y) + SVGA_PIXMAP_SIZE(x, y,
cursor.bpp);
+ goto badcmd;
+ }
+
for (args = 0; args< SVGA_BITMAP_SIZE(x, y); args ++)
cursor.mask[args] = vmsvga_fifo_read_raw(s);
for (args = 0; args< SVGA_PIXMAP_SIZE(x, y, cursor.bpp); args ++)
