On Fri, Nov 25, 2022 at 4:40 PM Philippe Mathieu-Daudé <phi...@linaro.org> wrote: > > memory_region_get_ram_ptr() returns a host pointer for a > MemoryRegion. Sometimes we do offset calculation using this > pointer without checking the underlying MemoryRegion size. > > Wenxu Yin reported a buffer overrun in QXL. This series > aims to fix it. I haven't audited the other _get_ram_ptr() > uses (yet). Eventually we could rename it _get_ram_ptr_unsafe > and add a safer helper which checks for overrun.
This is now CVE-2022-4144. Please add proper "Fixes:" tag, if possible. Thank you for the fix. > Worth considering for 7.2? > > Regards, > > Phil. > > Philippe Mathieu-Daudé (4): > hw/display/qxl: Have qxl_log_command Return early if no log_cmd > handler > hw/display/qxl: Document qxl_phys2virt() > hw/display/qxl: Pass qxl_phys2virt size > hw/display/qxl: Avoid buffer overrun in qxl_phys2virt() > > hw/display/qxl-logger.c | 22 +++++++++++++++++++--- > hw/display/qxl-render.c | 11 +++++++---- > hw/display/qxl.c | 25 +++++++++++++++++++------ > hw/display/qxl.h | 23 ++++++++++++++++++++++- > 4 files changed, 67 insertions(+), 14 deletions(-) > > -- > 2.38.1 > -- Mauro Matteo Cascella Red Hat Product Security PGP-Key ID: BB3410B0
