Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP2:GA
xen.4698
CVE-2017-2620-xsa209-qemuu-cirrus_bitblt_cputov...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2017-2620-xsa209-qemuu-cirrus_bitblt_cputovideo-does-not-check-if-memory-region-safe.patch of Package xen.4698
References: bsc#1024834 CVE-2017-2620 XSA-209 From: Gerd Hoffmann <kraxel@redhat.com> Subject: [PATCH 3/3] cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination and blit width, at all. Oops. Fix it. Security impact: high. The missing blit destination check allows to write to host memory. Basically same as CVE-2014-8106 for the other blit variants. The missing blit width check allows to overflow cirrus_bltbuf, with the attractive target cirrus_srcptr (current cirrus_bltbuf write position) being located right after cirrus_bltbuf in CirrusVGAState. Due to cirrus emulation writing cirrus_bltbuf bytewise the attacker hasn't full control over cirrus_srcptr though, only one byte can be changed. Once the first byte has been modified further writes land elsewhere. [ This is CVE-2017-2620 / XSA-209 - Ian Jackson ] Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> --- hw/display/cirrus_vga.c | 8 ++++++++ 1 file changed, 8 insertions(+) Index: xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/display/cirrus_vga.c =================================================================== --- xen-4.4.4-testing.orig/tools/qemu-xen-dir-remote/hw/display/cirrus_vga.c +++ xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/display/cirrus_vga.c @@ -862,6 +862,10 @@ static int cirrus_bitblt_cputovideo(Cirr { int w; + if (blit_is_unsafe(s)) { + return 0; + } + s->cirrus_blt_mode &= ~CIRRUS_BLTMODE_MEMSYSSRC; s->cirrus_srcptr = &s->cirrus_bltbuf[0]; s->cirrus_srcptr_end = &s->cirrus_bltbuf[0]; @@ -887,6 +891,10 @@ static int cirrus_bitblt_cputovideo(Cirr } s->cirrus_srccounter = s->cirrus_blt_srcpitch * s->cirrus_blt_height; } + + /* the blit_is_unsafe call above should catch this */ + assert(s->cirrus_blt_srcpitch <= CIRRUS_BLTBUFSIZE); + s->cirrus_srcptr = s->cirrus_bltbuf; s->cirrus_srcptr_end = s->cirrus_bltbuf + s->cirrus_blt_srcpitch; cirrus_update_memory_access(s);
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor