[qemu-xen master] vga: check the validation of memory addr when draw text

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[qemu-xen master] vga: check the validation of memory addr when draw text

patchbot
commit 63112b16a6abd31d40df2b9a1dd713b42eb59c6b
Author:     linzhecheng <[hidden email]>
AuthorDate: Thu Jan 11 21:27:24 2018 +0800
Commit:     Michael Roth <[hidden email]>
CommitDate: Mon Feb 12 19:19:25 2018 -0600

    vga: check the validation of memory addr when draw text
   
    Start a vm with qemu-kvm -enable-kvm -vnc :66 -smp 1 -m 1024 -hda
    redhat_5.11.qcow2  -device pcnet -vga cirrus,
    then use VNC client to connect to VM, and excute the code below in guest
    OS will lead to qemu crash:
   
    int main()
     {
        iopl(3);
        srand(time(NULL));
        int a,b;
        while(1){
    a = rand()%0x100;
    b = 0x3c0 + (rand()%0x20);
            outb(a,b);
        }
        return 0;
    }
   
    The above code is writing the registers of VGA randomly.
    We can write VGA CRT controller registers index 0x0C or 0x0D
    (which is the start address register) to modify the
    the display memory address of the upper left pixel
    or character of the screen. The address may be out of the
    range of vga ram. So we should check the validation of memory address
    when reading or writing it to avoid segfault.
   
    Signed-off-by: linzhecheng <[hidden email]>
    Message-id: [hidden email]
    Fixes: CVE-2018-5683
    Signed-off-by: Gerd Hoffmann <[hidden email]>
    (cherry picked from commit 191f59dc17396bb5a8da50f8c59b6e0a430711a4)
    Signed-off-by: Michael Roth <[hidden email]>
---
 hw/display/vga.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/hw/display/vga.c b/hw/display/vga.c
index a64a094..d150a3a 100644
--- a/hw/display/vga.c
+++ b/hw/display/vga.c
@@ -1280,6 +1280,9 @@ static void vga_draw_text(VGACommonState *s, int full_update)
         cx_min = width;
         cx_max = -1;
         for(cx = 0; cx < width; cx++) {
+            if (src + sizeof(uint16_t) > s->vram_ptr + s->vram_size) {
+                break;
+            }
             ch_attr = *(uint16_t *)src;
             if (full_update || ch_attr != *ch_attr_ptr || src == cursor_ptr) {
                 if (cx < cx_min)
--
generated by git-patchbot for /home/xen/git/qemu-xen.git#master

_______________________________________________
Xen-changelog mailing list
[hidden email]
https://lists.xenproject.org/xen-changelog