On 08/24/2017 04:19 AM, Gerd Hoffmann wrote: > Instead pass around the address (aka offset into vga memory). > Add vga_read_* helper functions which apply vbe_size_mask to > the address, to make sure the address stays within the valid > range, simliar to the cirrus blitter fixes (commits ffaf857778
s/simliar/similar/ > and 026aeffcb4). > > Impact: DoS for priviledged guest users. qemu crashes with s/priviledged/privileged/ > a segfault, when hitting the guard page after vga memory > allocation, while reading vga memory for display updates. > > Fixes: CVE-2017-xxxx Do we have the actual number? Are we trying to get this in 2.10-rc4, or is it merely 2.11 + qemu-stable (2.10.1) material? > Cc: P J P <ppan...@redhat.com> > Reported-by: David Buchanan <d...@vidbuchanan.co.uk> > Signed-off-by: Gerd Hoffmann <kra...@redhat.com> > --- > hw/display/vga-helpers.h | 202 > ++++++++++++++++++++++++++--------------------- > hw/display/vga_int.h | 1 + > hw/display/vga.c | 5 +- > 3 files changed, 114 insertions(+), 94 deletions(-) -- Eric Blake, Principal Software Engineer Red Hat, Inc. +1-919-301-3266 Virtualization: qemu.org | libvirt.org
signature.asc
Description: OpenPGP digital signature
