qemu-commits
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-commits] [qemu/qemu] 54a85d: vbe: make bochs dispi interface retur


From: GitHub
Subject: [Qemu-commits] [qemu/qemu] 54a85d: vbe: make bochs dispi interface return the correct...
Date: Fri, 05 Sep 2014 06:00:06 -0700

  Branch: refs/heads/master
  Home:   https://github.com/qemu/qemu
  Commit: 54a85d462447c1cb8a1638578a7fd086350b4d2d
      
https://github.com/qemu/qemu/commit/54a85d462447c1cb8a1638578a7fd086350b4d2d
  Author: Gerd Hoffmann <address@hidden>
  Date:   2014-09-04 (Thu, 04 Sep 2014)

  Changed paths:
    M hw/display/qxl.c
    M hw/display/vga.c
    M hw/display/vga_int.h

  Log Message:
  -----------
  vbe: make bochs dispi interface return the correct memory size with qxl

VgaState->vram_size is the size of the pci bar.  In case of qxl not the
whole pci bar can be used as vga framebuffer.  Add a new variable
vbe_size to handle that case.  By default (if unset) it equals
vram_size, but qxl can set vbe_size to something else.

This makes sure VBE_DISPI_INDEX_VIDEO_MEMORY_64K returns correct results
and sanity checks are done with the correct size too.

Cc: address@hidden
Signed-off-by: Gerd Hoffmann <address@hidden>
Reviewed-by: Laszlo Ersek <address@hidden>


  Commit: c1b886c45dc70f247300f549dce9833f3fa2def5
      
https://github.com/qemu/qemu/commit/c1b886c45dc70f247300f549dce9833f3fa2def5
  Author: Gerd Hoffmann <address@hidden>
  Date:   2014-09-04 (Thu, 04 Sep 2014)

  Changed paths:
    M hw/display/vga.c

  Log Message:
  -----------
  vbe: rework sanity checks

Plug a bunch of holes in the bochs dispi interface parameter checking.
Add a function doing verification on all registers.  Call that
unconditionally on every register write.  That way we should catch
everything, even changing one register affecting the valid range of
another register.

Some of the holes have been added by commit
e9c6149f6ae6873f14a12eea554925b6aa4c4dec.  Before that commit the
maximum possible framebuffer (VBE_DISPI_MAX_XRES * VBE_DISPI_MAX_YRES *
32 bpp) has been smaller than the qemu vga memory (8MB) and the checking
for VBE_DISPI_MAX_XRES + VBE_DISPI_MAX_YRES + VBE_DISPI_MAX_BPP was ok.

Some of the holes have been there forever, such as
VBE_DISPI_INDEX_X_OFFSET and VBE_DISPI_INDEX_Y_OFFSET register writes
lacking any verification.

Security impact:

(1) Guest can make the ui (gtk/vnc/...) use memory rages outside the vga
frame buffer as source  ->  host memory leak.  Memory isn't leaked to
the guest but to the vnc client though.

(2) Qemu will segfault in case the memory range happens to include
unmapped areas  ->  Guest can DoS itself.

The guest can not modify host memory, so I don't think this can be used
by the guest to escape.

CVE-2014-3615

Cc: address@hidden
Cc: address@hidden
Signed-off-by: Gerd Hoffmann <address@hidden>
Reviewed-by: Laszlo Ersek <address@hidden>


  Commit: ab9509cceabef28071e41bdfa073083859c949a7
      
https://github.com/qemu/qemu/commit/ab9509cceabef28071e41bdfa073083859c949a7
  Author: Gerd Hoffmann <address@hidden>
  Date:   2014-09-05 (Fri, 05 Sep 2014)

  Changed paths:
    M ui/spice-display.c

  Log Message:
  -----------
  spice: make sure we don't overflow ssd->buf

Related spice-only bug.  We have a fixed 16 MB buffer here, being
presented to the spice-server as qxl video memory in case spice is
used with a non-qxl card.  It's also used with qxl in vga mode.

When using display resolutions requiring more than 16 MB of memory we
are going to overflow that buffer.  In theory the guest can write,
indirectly via spice-server.  The spice-server clears the memory after
setting a new video mode though, triggering a segfault in the overflow
case, so qemu crashes before the guest has a chance to do something
evil.

Fix that by switching to dynamic allocation for the buffer.

CVE-2014-3615

Cc: address@hidden
Cc: address@hidden
Signed-off-by: Gerd Hoffmann <address@hidden>
Reviewed-by: Laszlo Ersek <address@hidden>


  Commit: 5fd7fc8db92adea953ecf5917168989a28e8871f
      
https://github.com/qemu/qemu/commit/5fd7fc8db92adea953ecf5917168989a28e8871f
  Author: Peter Maydell <address@hidden>
  Date:   2014-09-05 (Fri, 05 Sep 2014)

  Changed paths:
    M hw/display/qxl.c
    M hw/display/vga.c
    M hw/display/vga_int.h
    M ui/spice-display.c

  Log Message:
  -----------
  Merge remote-tracking branch 
'remotes/kraxel/tags/pull-cve-2014-3615-20140905-1' into staging

CVE-2014-3615: fix sanity checks in vbe (bochs dispi) and spice.

# gpg: Signature made Fri 05 Sep 2014 12:18:04 BST using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <address@hidden>"
# gpg:                 aka "Gerd Hoffmann <address@hidden>"
# gpg:                 aka "Gerd Hoffmann (private) <address@hidden>"

* remotes/kraxel/tags/pull-cve-2014-3615-20140905-1:
  spice: make sure we don't overflow ssd->buf
  vbe: rework sanity checks
  vbe: make bochs dispi interface return the correct memory size with qxl

Signed-off-by: Peter Maydell <address@hidden>


Compare: https://github.com/qemu/qemu/compare/fd884c07658d...5fd7fc8db92a

reply via email to

[Prev in Thread] Current Thread [Next in Thread]