File CVE-2018-5683-qemuu-out-of-bounds-read-in-vga_d... of Package xen.6712

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2018-5683-qemuu-out-of-bounds-read-in-vga_draw_text-routine.patch of Package xen.6712

Start a vm with qemu-kvm -enable-kvm -vnc :66 -smp 1 -m 1024 -hda
redhat_5.11.qcow2  -device pcnet -vga cirrus,
then use VNC client to connect to VM, and excute the code below in guest
OS will lead to qemu crash:

int main()
 {
    iopl(3);
    srand(time(NULL));
    int a,b;
    while(1){
        a = rand()%0x100;
        b = 0x3c0 + (rand()%0x20);
        outb(a,b);
    }
    return 0;
}

The above code is writing the registers of VGA randomly.
We can write VGA CRT controller registers index 0x0C or 0x0D
(which is the start address register) to modify the
the display memory address of the upper left pixel
or character of the screen. The address may be out of the
range of vga ram. So we should check the validation of memory address
when reading or writing it to avoid segfault.

Signed-off-by: linzhecheng <address@hidden>
---
 hw/display/vga.c | 3 +++
 1 file changed, 3 insertions(+)

Index: xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/display/vga.c
===================================================================
--- xen-4.5.5-testing.orig/tools/qemu-xen-dir-remote/hw/display/vga.c
+++ xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/display/vga.c
@@ -1503,6 +1503,9 @@ static void vga_draw_text(VGACommonState
         cx_min = width;
         cx_max = -1;
         for(cx = 0; cx < width; cx++) {
+            if (src + sizeof(uint16_t) > s->vram_ptr + s->vram_size) {
+                break;
+            }
             ch_attr = *(uint16_t *)src;
             if (full_update || ch_attr != *ch_attr_ptr || src == cursor_ptr) {
                 if (cx < cx_min)

Places

File CVE-2018-5683-qemuu-out-of-bounds-read-in-vga_draw_text-routine.patch of Package xen.6712

Places