Since v1: - Addressed Marc-André review comments - Moved overrun check in qxl_get_check_slot_offset()
memory_region_get_ram_ptr() returns a host pointer for a MemoryRegion. Sometimes we do offset calculation using this pointer without checking the underlying MemoryRegion size. Wenxu Yin reported a buffer overrun in QXL. This series aims to fix it. I haven't audited the other _get_ram_ptr() uses (yet). Eventually we could rename it _get_ram_ptr_unsafe and add a safer helper which checks for overrun. Worth considering for 7.2? Regards, Phil. Philippe Mathieu-Daudé (5): hw/display/qxl: Have qxl_log_command Return early if no log_cmd handler hw/display/qxl: Document qxl_phys2virt() hw/display/qxl: Pass requested buffer size to qxl_phys2virt() hw/display/qxl: Avoid buffer overrun in qxl_phys2virt (CVE-2022-4144) hw/display/qxl: Assert memory slot fits in preallocated MemoryRegion hw/display/qxl-logger.c | 22 +++++++++++++++++++--- hw/display/qxl-render.c | 12 ++++++++---- hw/display/qxl.c | 37 ++++++++++++++++++++++++++++--------- hw/display/qxl.h | 23 ++++++++++++++++++++++- 4 files changed, 77 insertions(+), 17 deletions(-) -- 2.38.1