+-- On Tue, 20 Oct 2020, BALATON Zoltan wrote --+
| The card has 32 bit registers with values in them interpreted differently for
| different regs. For dst_x|y lower 14 bits can be set and value should be
| interpreted as -8192:8191 according to docs. I've got this wrong because all
| guests I've tried did not actually use negative values. The Solaris driver I
| was recently shown not to work may use that so I plan to look at it and fix it
| when I'll have time.
...
| Docs aren't very clear on that but I think these cannot be negative so
| 0:8191 is valid range because it mentions that also bits 0-13 (or maybe
| 0-15, the docs have a lot of copy&paste errors) are valid but only 0-12 are
| used for rectangles, 13-15 used only for trapezoids (which we don't
| emulate). The docs are really bad so we have to guess and see what guest
| drivers do most of the time.
* I see. Are the docs available/accessible online?
| > dst_y(=4294950914(=-16382)) + s->regs.dst_height(=16383)) overflows to => 1
| > Ie. (dst_bits + dst_x(=0) + (1) * dst_stride >= end) returns false.
|
| So maybe we should cast something (like dst_stride) to uint64_t here to
| promote everything to 64 bit and prevent it overflowing which then should
| catch this as well?
...
| > + if (dst_x > 0x3fff || dst_y > 0x3fff || dst_bits >= end
| > + || dst_bits + dst_x + (dst_y + s->regs.dst_height)
| > + * dst_stride >= end) {
| > ...
| > + if (src_x > 0x3fff || src_y > 0x3ff || src_bits >= end
| > + || src_bits + src_x + (src_y + s->regs.dst_height)
| > + * src_stride >= end) {
| > qemu_log_mask(LOG_UNIMP, "blt outside vram not implemented\n");
|
| I can live with that until I have a chance to rewrite it but are you sure this
| will catch all possible overflows with all vram sizes that can be set with
| vgamem_mb property?
* Considering all fields are 'uint32_t' type; And majority of the values
s->regs.[src|dst]_[xy], s->regs.dst_height are masked with '0x3fff', it
should help to avoid overflows.
* Not sure about all vram sizes. What are possible/supported size options?
* Between casting expression to 64 bits & explicit src_[xy] > 0x3fff check,
I'd go with explicit check, as it's easy to follow.
Will send a revised patch with src_[xy] > 0x3fff if it's okay with you.
Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D
