Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP2:Update
qemu-testsuite.9341
0261-vga-check-the-validation-of-memory-.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0261-vga-check-the-validation-of-memory-.patch of Package qemu-testsuite.9341
From f68a53336a298919865feb81765823d36014a486 Mon Sep 17 00:00:00 2001 From: linzhecheng <linzhecheng@huawei.com> Date: Thu, 11 Jan 2018 21:27:24 +0800 Subject: [PATCH] vga: check the validation of memory addr when draw text Start a vm with qemu-kvm -enable-kvm -vnc :66 -smp 1 -m 1024 -hda redhat_5.11.qcow2 -device pcnet -vga cirrus, then use VNC client to connect to VM, and excute the code below in guest OS will lead to qemu crash: int main() { iopl(3); srand(time(NULL)); int a,b; while(1){ a = rand()%0x100; b = 0x3c0 + (rand()%0x20); outb(a,b); } return 0; } The above code is writing the registers of VGA randomly. We can write VGA CRT controller registers index 0x0C or 0x0D (which is the start address register) to modify the the display memory address of the upper left pixel or character of the screen. The address may be out of the range of vga ram. So we should check the validation of memory address when reading or writing it to avoid segfault. Signed-off-by: linzhecheng <linzhecheng@huawei.com> Message-id: 20180111132724.13744-1-linzhecheng@huawei.com Fixes: CVE-2018-5683 Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> (cherry picked from commit 191f59dc17396bb5a8da50f8c59b6e0a430711a4) [LY: BSC#1076114 CVE-2018-5683] Signed-off-by: Liang Yan <lyan@suse.com> --- hw/display/vga.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hw/display/vga.c b/hw/display/vga.c index e737a75db4..fc83e03e4c 100644 --- a/hw/display/vga.c +++ b/hw/display/vga.c @@ -1293,6 +1293,9 @@ static void vga_draw_text(VGACommonState *s, int full_update) cx_min = width; cx_max = -1; for(cx = 0; cx < width; cx++) { + if (src + sizeof(uint16_t) > s->vram_ptr + s->vram_size) { + break; + } ch_attr = *(uint16_t *)src; if (full_update || ch_attr != *ch_attr_ptr || src == cursor_ptr) { if (cx < cx_min)
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor