Re: [Qemu-devel] [PATCH resend] vmware_vga: Check cursor dimensions passed from guest to avoid buffer overflow
On 01/05/2010 10:43 PM, Roland Dreier wrote: Check that the cursor dimensions passed from the guest for the DEFINE_CURSOR command don't overflow the available space in the cursor.image[] or cursor.mask[] arrays before copying data from the guest into those arrays. Signed-off-by: Roland Dreierrola...@cisco.com Applied. Thanks. Regards, Anthony Liguori --- Hi Anthony, as far as I can tell this seems to have slipped through the cracks. I think this is fairly important: it is a guest-triggerable stack smashing attack in the worst case. Thanks, Roland hw/vmware_vga.c |7 +++ 1 files changed, 7 insertions(+), 0 deletions(-) diff --git a/hw/vmware_vga.c b/hw/vmware_vga.c index 7ab1c79..5e969ae 100644 --- a/hw/vmware_vga.c +++ b/hw/vmware_vga.c @@ -562,6 +562,13 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s) cursor.height = y = vmsvga_fifo_read(s); vmsvga_fifo_read(s); cursor.bpp = vmsvga_fifo_read(s); + + if (SVGA_BITMAP_SIZE(x, y) sizeof cursor.mask || + SVGA_PIXMAP_SIZE(x, y, cursor.bpp) sizeof cursor.image) { + args = SVGA_BITMAP_SIZE(x, y) + SVGA_PIXMAP_SIZE(x, y, cursor.bpp); + goto badcmd; + } + for (args = 0; args SVGA_BITMAP_SIZE(x, y); args ++) cursor.mask[args] = vmsvga_fifo_read_raw(s); for (args = 0; args SVGA_PIXMAP_SIZE(x, y, cursor.bpp); args ++)
[Qemu-devel] [PATCH resend] vmware_vga: Check cursor dimensions passed from guest to avoid buffer overflow
Check that the cursor dimensions passed from the guest for the DEFINE_CURSOR command don't overflow the available space in the cursor.image[] or cursor.mask[] arrays before copying data from the guest into those arrays. Signed-off-by: Roland Dreier rola...@cisco.com --- Hi Anthony, as far as I can tell this seems to have slipped through the cracks. I think this is fairly important: it is a guest-triggerable stack smashing attack in the worst case. Thanks, Roland hw/vmware_vga.c |7 +++ 1 files changed, 7 insertions(+), 0 deletions(-) diff --git a/hw/vmware_vga.c b/hw/vmware_vga.c index 7ab1c79..5e969ae 100644 --- a/hw/vmware_vga.c +++ b/hw/vmware_vga.c @@ -562,6 +562,13 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s) cursor.height = y = vmsvga_fifo_read(s); vmsvga_fifo_read(s); cursor.bpp = vmsvga_fifo_read(s); + + if (SVGA_BITMAP_SIZE(x, y) sizeof cursor.mask || + SVGA_PIXMAP_SIZE(x, y, cursor.bpp) sizeof cursor.image) { + args = SVGA_BITMAP_SIZE(x, y) + SVGA_PIXMAP_SIZE(x, y, cursor.bpp); + goto badcmd; + } + for (args = 0; args SVGA_BITMAP_SIZE(x, y); args ++) cursor.mask[args] = vmsvga_fifo_read_raw(s); for (args = 0; args SVGA_PIXMAP_SIZE(x, y, cursor.bpp); args ++)