Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP2:GA
qemu-linux-user.11147
0437-vnc-fix-memory-corruption-CVE-2015-.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0437-vnc-fix-memory-corruption-CVE-2015-.patch of Package qemu-linux-user.11147
From 99491725c09b1b7fb921a7540bbfc08e2523b29e Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann <kraxel@redhat.com> Date: Mon, 17 Aug 2015 19:56:53 +0200 Subject: [PATCH] vnc: fix memory corruption (CVE-2015-5225) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The _cmp_bytes variable added by commit "bea60dd ui/vnc: fix potential memory corruption issues" can become negative. Result is (possibly exploitable) memory corruption. Reason for that is it uses the stride instead of bytes per scanline to apply limits. For the server surface is is actually fine. vnc creates that itself, there is never any padding and thus scanline length always equals stride. For the guest surface scanline length and stride are typically identical too, but it doesn't has to be that way. So add and use a new variable (guest_ll) for the guest scanline length. Also rename min_stride to line_bytes to make more clear what it actually is. Finally sprinkle in an assert() to make sure we never use a negative _cmp_bytes again. Reported-by: 范祚至(库特) <zuozhi.fzz@alibaba-inc.com> Reviewed-by: P J P <ppandit@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> (cherry picked from commit eb8934b0418b3b1d125edddc4fc334a54334a49b) [BR: BSC#1026612 CVE-2017-2633 (this fix fixes first fix)] Signed-off-by: Bruce Rogers <brogers@suse.com> --- ui/vnc.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/ui/vnc.c b/ui/vnc.c index cb5c7eca51..4230931571 100644 --- a/ui/vnc.c +++ b/ui/vnc.c @@ -2608,7 +2608,7 @@ static int vnc_refresh_server_surface(VncDisplay *vd) pixman_image_get_width(vd->server)); int height = MIN(pixman_image_get_height(vd->guest.fb), pixman_image_get_height(vd->server)); - int cmp_bytes, server_stride, min_stride, guest_stride, y = 0; + int cmp_bytes, server_stride, line_bytes, guest_ll, guest_stride, y = 0; uint8_t *guest_row0 = NULL, *server_row0; VncState *vs; int has_dirty = 0; @@ -2627,17 +2627,21 @@ static int vnc_refresh_server_surface(VncDisplay *vd) * Update server dirty map. */ server_row0 = (uint8_t *)pixman_image_get_data(vd->server); - server_stride = guest_stride = pixman_image_get_stride(vd->server); + server_stride = guest_stride = guest_ll = + pixman_image_get_stride(vd->server); cmp_bytes = MIN(VNC_DIRTY_PIXELS_PER_BIT * VNC_SERVER_FB_BYTES, server_stride); if (vd->guest.format != VNC_SERVER_FB_FORMAT) { int width = pixman_image_get_width(vd->server); tmpbuf = qemu_pixman_linebuf_create(VNC_SERVER_FB_FORMAT, width); } else { + int guest_bpp = + PIXMAN_FORMAT_BPP(pixman_image_get_format(vd->guest.fb)); guest_row0 = (uint8_t *)pixman_image_get_data(vd->guest.fb); guest_stride = pixman_image_get_stride(vd->guest.fb); + guest_ll = pixman_image_get_width(vd->guest.fb) * ((guest_bpp + 7) / 8); } - min_stride = MIN(server_stride, guest_stride); + line_bytes = MIN(server_stride, guest_ll); for (;;) { int x; @@ -2668,9 +2672,10 @@ static int vnc_refresh_server_surface(VncDisplay *vd) if (!test_and_clear_bit(x, vd->guest.dirty[y])) { continue; } - if ((x + 1) * cmp_bytes > min_stride) { - _cmp_bytes = min_stride - x * cmp_bytes; + if ((x + 1) * cmp_bytes > line_bytes) { + _cmp_bytes = line_bytes - x * cmp_bytes; } + assert(_cmp_bytes >= 0); if (memcmp(server_ptr, guest_ptr, _cmp_bytes) == 0) { continue; }
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor