Re: [Qemu-devel] [PATCH] cirrus: fix oob access issue (CVE-2017-TODO)

2017-01-25 Thread Laszlo Ersek
On 01/25/17 11:50, Wolfgang Bumiller wrote: > On Wed, Jan 25, 2017 at 11:35:44AM +0100, Laszlo Ersek wrote: >> On 01/25/17 10:50, Gerd Hoffmann wrote: >>> On Mi, 2017-01-25 at 09:30 +0100, Wolfgang Bumiller wrote: On Wed, Jan 25, 2017 at 08:07:05AM +0100, Gerd Hoffmann wrote: > From: Li

Re: [Qemu-devel] [PATCH] cirrus: fix oob access issue (CVE-2017-TODO)

2017-01-25 Thread Wolfgang Bumiller
On Wed, Jan 25, 2017 at 11:35:44AM +0100, Laszlo Ersek wrote: > On 01/25/17 10:50, Gerd Hoffmann wrote: > > On Mi, 2017-01-25 at 09:30 +0100, Wolfgang Bumiller wrote: > >> On Wed, Jan 25, 2017 at 08:07:05AM +0100, Gerd Hoffmann wrote: > >>> From: Li Qiang > >>> > >>> When doing

Re: [Qemu-devel] [PATCH] cirrus: fix oob access issue (CVE-2017-TODO)

2017-01-25 Thread Gerd Hoffmann
On Mi, 2017-01-25 at 08:07 +0100, Gerd Hoffmann wrote: > From: Li Qiang > > When doing bitblt copy in backward mode, we should minus the > blt width first just like the adding in the forward mode. This > can avoid the oob access of the front of vga's vram. > > Signed-off-by:

Re: [Qemu-devel] [PATCH] cirrus: fix oob access issue (CVE-2017-TODO)

2017-01-25 Thread Laszlo Ersek
On 01/25/17 10:50, Gerd Hoffmann wrote: > On Mi, 2017-01-25 at 09:30 +0100, Wolfgang Bumiller wrote: >> On Wed, Jan 25, 2017 at 08:07:05AM +0100, Gerd Hoffmann wrote: >>> From: Li Qiang >>> >>> When doing bitblt copy in backward mode, we should minus the >>> blt width first

Re: [Qemu-devel] [PATCH] cirrus: fix oob access issue

2017-01-25 Thread Laszlo Ersek
On 01/25/17 08:18, Gerd Hoffmann wrote: > Hi, > >>> The negative pitch means (I think) that "addr" points to the lower >>> left corner of the rectangle. >>> >>> The second part guarantees that the last blitted byte fits (lower >>> right corner). >> >> To which Gerd responded "upper left". In

Re: [Qemu-devel] [PATCH] cirrus: fix oob access issue (CVE-2017-TODO)

2017-01-25 Thread Gerd Hoffmann
On Mi, 2017-01-25 at 09:30 +0100, Wolfgang Bumiller wrote: > On Wed, Jan 25, 2017 at 08:07:05AM +0100, Gerd Hoffmann wrote: > > From: Li Qiang > > > > When doing bitblt copy in backward mode, we should minus the > > blt width first just like the adding in the forward mode.

Re: [Qemu-devel] [PATCH] cirrus: fix oob access issue (CVE-2017-TODO)

2017-01-25 Thread Wolfgang Bumiller
On Wed, Jan 25, 2017 at 08:07:05AM +0100, Gerd Hoffmann wrote: > From: Li Qiang > > When doing bitblt copy in backward mode, we should minus the > blt width first just like the adding in the forward mode. This > can avoid the oob access of the front of vga's vram. > >

Re: [Qemu-devel] [PATCH] cirrus: fix oob access issue

2017-01-24 Thread Gerd Hoffmann
Hi, > > I have read all the discuss, very long and useful, but I think I still > > need some > > time to get a full understand. So I think one of you can provide the > > formal patch to > > describe the issue in more detail. > > Your patch is almost correct. New version out for review. >

Re: [Qemu-devel] [PATCH] cirrus: fix oob access issue

2017-01-24 Thread Gerd Hoffmann
Hi, > > The negative pitch means (I think) that "addr" points to the lower > > left corner of the rectangle. > > > > The second part guarantees that the last blitted byte fits (lower > > right corner). > > To which Gerd responded "upper left". In retrospect I don't understand > why we didn't

[Qemu-devel] [PATCH] cirrus: fix oob access issue (CVE-2017-TODO)

2017-01-24 Thread Gerd Hoffmann
From: Li Qiang When doing bitblt copy in backward mode, we should minus the blt width first just like the adding in the forward mode. This can avoid the oob access of the front of vga's vram. Signed-off-by: Li Qiang Message-id:

Re: [Qemu-devel] [PATCH] cirrus: fix oob access issue

2017-01-24 Thread Laszlo Ersek
On 01/25/17 02:18, Li Qiang wrote: > > > 2017-01-25 0:12 GMT+08:00 Laszlo Ersek >: > > On 01/24/17 16:31, Wolfgang Bumiller wrote: > > On Tue, Jan 24, 2017 at 01:29:58PM +0100, Gerd Hoffmann wrote: > >> if (pitch < 0) { >

Re: [Qemu-devel] [PATCH] cirrus: fix oob access issue

2017-01-24 Thread Li Qiang
2017-01-25 0:12 GMT+08:00 Laszlo Ersek : > On 01/24/17 16:31, Wolfgang Bumiller wrote: > > On Tue, Jan 24, 2017 at 01:29:58PM +0100, Gerd Hoffmann wrote: > >> if (pitch < 0) { > >> int64_t min = addr > >> -+

Re: [Qemu-devel] [PATCH] cirrus: fix oob access issue

2017-01-24 Thread Laszlo Ersek
On 01/24/17 16:31, Wolfgang Bumiller wrote: > On Tue, Jan 24, 2017 at 01:29:58PM +0100, Gerd Hoffmann wrote: >> if (pitch < 0) { >> int64_t min = addr >> -+ ((int64_t)s->cirrus_blt_height-1) * pitch; >> ++ ((int64_t)s->cirrus_blt_height-1) *

Re: [Qemu-devel] [PATCH] cirrus: fix oob access issue

2017-01-24 Thread Wolfgang Bumiller
On Tue, Jan 24, 2017 at 01:29:58PM +0100, Gerd Hoffmann wrote: > > >>> if (pitch < 0) { > > >>> int64_t min = addr > > >>> -+ ((int64_t)s->cirrus_blt_height-1) * pitch; > > >>> ++ ((int64_t)s->cirrus_blt_height-1) * pitch > > >>> +-

Re: [Qemu-devel] [PATCH] cirrus: fix oob access issue

2017-01-24 Thread Gerd Hoffmann
> >>> if (pitch < 0) { > >>> int64_t min = addr > >>> -+ ((int64_t)s->cirrus_blt_height-1) * pitch; > >>> ++ ((int64_t)s->cirrus_blt_height-1) * pitch > >>> +- s->cirrus_blt_width; > >>> int32_t max = addr > >>> +

Re: [Qemu-devel] [PATCH] cirrus: fix oob access issue

2017-01-24 Thread Laszlo Ersek
On 01/24/17 12:17, Laszlo Ersek wrote: > On 01/24/17 11:48, Gerd Hoffmann wrote: diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c index 379910d..7ddd289 100644 --- a/hw/display/cirrus_vga.c +++ b/hw/display/cirrus_vga.c @@ -277,7 +277,8 @@ static bool

Re: [Qemu-devel] [PATCH] cirrus: fix oob access issue

2017-01-24 Thread Laszlo Ersek
On 01/24/17 11:48, Gerd Hoffmann wrote: >>> diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c >>> index 379910d..7ddd289 100644 >>> --- a/hw/display/cirrus_vga.c >>> +++ b/hw/display/cirrus_vga.c >>> @@ -277,7 +277,8 @@ static bool blit_region_is_unsafe(struct CirrusVGAState >>> *s,

Re: [Qemu-devel] [PATCH] cirrus: fix oob access issue

2017-01-24 Thread Gerd Hoffmann
> > diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c > > index 379910d..7ddd289 100644 > > --- a/hw/display/cirrus_vga.c > > +++ b/hw/display/cirrus_vga.c > > @@ -277,7 +277,8 @@ static bool blit_region_is_unsafe(struct CirrusVGAState > > *s, > > } > > if (pitch < 0) { > >

Re: [Qemu-devel] [PATCH] cirrus: fix oob access issue

2017-01-24 Thread Laszlo Ersek
On 01/24/17 10:34, Li Qiang wrote: > From: Li Qiang > > When doing bitblt copy in backward mode, minus the blt width first > to avoid an oob access issue. > > Signed-off-by: Li Qiang > --- > hw/display/cirrus_vga.c | 3 ++- > 1 file changed, 2

[Qemu-devel] [PATCH] cirrus: fix oob access issue

2017-01-24 Thread Li Qiang
From: Li Qiang When doing bitblt copy in backward mode, we should minus the blt width first just like the adding in the forward mode. This can avoid the oob access of the front of vga's vram. Signed-off-by: Li Qiang --- hw/display/cirrus_vga.c | 3 ++- 1

Re: [Qemu-devel] [PATCH] cirrus: fix oob access issue

2017-01-24 Thread no-reply
Hi, Your series seems to have some coding style problems. See output below for more information: Type: series Subject: [Qemu-devel] [PATCH] cirrus: fix oob access issue Message-id: 58871f9b.d635240a.4cda6.5...@mx.google.com === TEST SCRIPT BEGIN === #!/bin/bash BASE=base n=1 total=$(git log

[Qemu-devel] [PATCH] cirrus: fix oob access issue

2017-01-24 Thread Li Qiang
From: Li Qiang When doing bitblt copy in backward mode, minus the blt width first to avoid an oob access issue. Signed-off-by: Li Qiang --- hw/display/cirrus_vga.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git