cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo (CVE-2017-2620)
CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination and blit width, at all. Oops. Fix it. Security impact: high. The missing blit destination check allows to write to host memory. Basically same as CVE-2014-8106 for the other blit variants. Cc: qemu-stable@nongnu.org Signed-off-by: NGerd Hoffmann <kraxel@redhat.com> (cherry picked from commit 92f2b88c) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
Showing
想要评论请 注册 或 登录