Merge remote-tracking branch 'remotes/kraxel/tags/pull-cve-2014-3689-20141029-1' into staging

vmware-vga: add rectangle verification (CVE-2014-3689) # gpg: Signature made Wed 29 Oct 2014 11:45:29 GMT using RSA key ID D3E87138 # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" # gpg: aka "Gerd Hoffmann <gerd@kraxel.org>" # gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>" * remotes/kraxel/tags/pull-cve-2014-3689-20141029-1: vmware-vga: use vmsvga_verify_rect in vmsvga_fill_rect vmware-vga: use vmsvga_verify_rect in vmsvga_copy_rect vmware-vga: use vmsvga_verify_rect in vmsvga_update_rect vmware-vga: add vmsvga_verify_rect vmware-vga: CVE-2014-3689: turn off hw accel Signed-off-by: N Peter Maydell <peter.maydell@linaro.org>

Merge remote-tracking branch 'remotes/kraxel/tags/pull-cve-2014-3689-20141029-1' into staging
vmware-vga: add rectangle verification (CVE-2014-3689) # gpg: Signature made Wed 29 Oct 2014 11:45:29 GMT using RSA key ID D3E87138 # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" # gpg: aka "Gerd Hoffmann <gerd@kraxel.org>" # gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>" * remotes/kraxel/tags/pull-cve-2014-3689-20141029-1: vmware-vga: use vmsvga_verify_rect in vmsvga_fill_rect vmware-vga: use vmsvga_verify_rect in vmsvga_copy_rect vmware-vga: use vmsvga_verify_rect in vmsvga_update_rect vmware-vga: add vmsvga_verify_rect vmware-vga: CVE-2014-3689: turn off hw accel Signed-off-by: N Peter Maydell <peter.maydell@linaro.org>
4239e2dc · Peter Maydell · fecd54cc · bd9ccd85 · 4239e2dc
隐藏空白更改
内联并排

Showing with 78 addition and 38 deletion

hw/display/vmware_vga.c hw/display/vmware_vga.c +78 -38

未找到文件。
--- a/hw/display/vmware_vga.c
+++ b/hw/display/vmware_vga.c
@@ -292,47 +292,74 @@ enum {
    SVGA_CURSOR_ON_RESTORE_TO_FB = 3,
 };
-static inline void vmsvga_update_rect(struct vmsvga_state_s *s,
+static inline bool vmsvga_verify_rect(DisplaySurface *surface,
-                int x, int y, int w, int h)
+                                      const char *name,
+                                      int x, int y, int w, int h)
 {
-    DisplaySurface *surface = qemu_console_surface(s->vga.con);
-    int line;
-    int bypl;
-    int width;
-    int start;
-    uint8_t *src;
-    uint8_t *dst;
    if (x < 0) {
-        fprintf(stderr, "%s: update x was < 0 (%d)\n", __func__, x);
+        fprintf(stderr, "%s: x was < 0 (%d)\n", name, x);
-        w += x;
+        return false;
-        x = 0;
+    }
+    if (x > SVGA_MAX_WIDTH) {
+        fprintf(stderr, "%s: x was > %d (%d)\n", name, SVGA_MAX_WIDTH, x);
+        return false;
    }
    if (w < 0) {
-        fprintf(stderr, "%s: update w was < 0 (%d)\n", __func__, w);
+        fprintf(stderr, "%s: w was < 0 (%d)\n", name, w);
-        w = 0;
+        return false;
+    }
+    if (w > SVGA_MAX_WIDTH) {
+        fprintf(stderr, "%s: w was > %d (%d)\n", name, SVGA_MAX_WIDTH, w);
+        return false;
    }
    if (x + w > surface_width(surface)) {
-        fprintf(stderr, "%s: update width too large x: %d, w: %d\n",
+        fprintf(stderr, "%s: width was > %d (x: %d, w: %d)\n",
-                __func__, x, w);
+                name, surface_width(surface), x, w);
-        x = MIN(x, surface_width(surface));
+        return false;
-        w = surface_width(surface) - x;
    }
    if (y < 0) {
-        fprintf(stderr, "%s: update y was < 0 (%d)\n",  __func__, y);
+        fprintf(stderr, "%s: y was < 0 (%d)\n", name, y);
-        h += y;
+        return false;
-        y = 0;
+    }
+    if (y > SVGA_MAX_HEIGHT) {
+        fprintf(stderr, "%s: y was > %d (%d)\n", name, SVGA_MAX_HEIGHT, y);
+        return false;
    }
    if (h < 0) {
-        fprintf(stderr, "%s: update h was < 0 (%d)\n",  __func__, h);
+        fprintf(stderr, "%s: h was < 0 (%d)\n", name, h);
-        h = 0;
+        return false;
+    }
+    if (h > SVGA_MAX_HEIGHT) {
+        fprintf(stderr, "%s: h was > %d (%d)\n", name, SVGA_MAX_HEIGHT, h);
+        return false;
    }
    if (y + h > surface_height(surface)) {
-        fprintf(stderr, "%s: update height too large y: %d, h: %d\n",
+        fprintf(stderr, "%s: update height > %d (y: %d, h: %d)\n",
-                __func__, y, h);
+                name, surface_height(surface), y, h);
-        y = MIN(y, surface_height(surface));
+        return false;
-        h = surface_height(surface) - y;
+    }
+    return true;
+}
+static inline void vmsvga_update_rect(struct vmsvga_state_s *s,
+                                      int x, int y, int w, int h)
+{
+    DisplaySurface *surface = qemu_console_surface(s->vga.con);
+    int line;
+    int bypl;
+    int width;
+    int start;
+    uint8_t *src;
+    uint8_t *dst;
+    if (!vmsvga_verify_rect(surface, __func__, x, y, w, h)) {
+        /* go for a fullscreen update as fallback */
+        x = 0;
+        y = 0;
+        w = surface_width(surface);
+        h = surface_height(surface);
    }
    bypl = surface_stride(surface);
@@ -377,7 +404,7 @@ static inline void vmsvga_update_rect_flush(struct vmsvga_state_s *s)
 }
 #ifdef HW_RECT_ACCEL
-static inline void vmsvga_copy_rect(struct vmsvga_state_s *s,
+static inline int vmsvga_copy_rect(struct vmsvga_state_s *s,
                int x0, int y0, int x1, int y1, int w, int h)
 {
    DisplaySurface *surface = qemu_console_surface(s->vga.con);
@@ -388,6 +415,13 @@ static inline void vmsvga_copy_rect(struct vmsvga_state_s *s,
    int line = h;
    uint8_t *ptr[2];
+    if (!vmsvga_verify_rect(surface, "vmsvga_copy_rect/src", x0, y0, w, h)) {
+        return -1;
+    }
+    if (!vmsvga_verify_rect(surface, "vmsvga_copy_rect/dst", x1, y1, w, h)) {
+        return -1;
+    }
    if (y1 > y0) {
        ptr[0] = vram + bypp * x0 + bypl * (y0 + h - 1);
        ptr[1] = vram + bypp * x1 + bypl * (y1 + h - 1);
@@ -403,11 +437,12 @@ static inline void vmsvga_copy_rect(struct vmsvga_state_s *s,
    }
    vmsvga_update_rect_delayed(s, x1, y1, w, h);
+    return 0;
 }
 #endif
 #ifdef HW_FILL_ACCEL
-static inline void vmsvga_fill_rect(struct vmsvga_state_s *s,
+static inline int vmsvga_fill_rect(struct vmsvga_state_s *s,
                uint32_t c, int x, int y, int w, int h)
 {
    DisplaySurface *surface = qemu_console_surface(s->vga.con);
@@ -420,6 +455,10 @@ static inline void vmsvga_fill_rect(struct vmsvga_state_s *s,
    uint8_t *src;
    uint8_t col[4];
+    if (!vmsvga_verify_rect(surface, __func__, x, y, w, h)) {
+        return -1;
+    }
    col[0] = c;
    col[1] = c >> 8;
    col[2] = c >> 16;
@@ -444,6 +483,7 @@ static inline void vmsvga_fill_rect(struct vmsvga_state_s *s,
    }
    vmsvga_update_rect_delayed(s, x, y, w, h);
+    return 0;
 }
 #endif
@@ -576,12 +616,12 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
            width = vmsvga_fifo_read(s);
            height = vmsvga_fifo_read(s);
 #ifdef HW_FILL_ACCEL
-            vmsvga_fill_rect(s, colour, x, y, width, height);
+            if (vmsvga_fill_rect(s, colour, x, y, width, height) == 0) {
-            break;
+                break;
-#else
+            }
+#endif
            args = 0;
            goto badcmd;
-#endif
        case SVGA_CMD_RECT_COPY:
            len -= 7;
@@ -596,12 +636,12 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
            width = vmsvga_fifo_read(s);
            height = vmsvga_fifo_read(s);
 #ifdef HW_RECT_ACCEL
-            vmsvga_copy_rect(s, x, y, dx, dy, width, height);
+            if (vmsvga_copy_rect(s, x, y, dx, dy, width, height) == 0) {
-            break;
+                break;
-#else
+            }
+#endif
            args = 0;
            goto badcmd;
-#endif
        case SVGA_CMD_DEFINE_CURSOR:
            len -= 8;