Re: [RFC PATCH-for-7.2 0/4] hw/display/qxl: Avoid buffer overrun in qxl_phys2virt()
Philippe Mathieu-Daudé (4): hw/display/qxl: Have qxl_log_command Return early if no log_cmd handler hw/display/qxl: Document qxl_phys2virt() hw/display/qxl: Pass qxl_phys2virt size hw/display/qxl: Avoid buffer overrun in qxl_phys2virt() hw/display/qxl-logger.c | 22 +++--- hw/display/qxl-render.c | 11 +++ hw/display/qxl.c| 25 +++-- hw/display/qxl.h| 23 ++- 4 files changed, 67 insertions(+), 14 deletions(-) I am having hard time with my MTA: 4.3.0 Temporary System Problem. Try again later (2). k1-20020a7bc40100b003cfbe1da539sm5571640wmi.36 - gsmtp Sorry if this series is mis-posted, I'll try to resend as a whole later.
Re: [RFC PATCH-for-7.2 0/4] hw/display/qxl: Avoid buffer overrun in qxl_phys2virt()
On Fri, Nov 25, 2022 at 4:40 PM Philippe Mathieu-Daudé wrote: > > memory_region_get_ram_ptr() returns a host pointer for a > MemoryRegion. Sometimes we do offset calculation using this > pointer without checking the underlying MemoryRegion size. > > Wenxu Yin reported a buffer overrun in QXL. This series > aims to fix it. I haven't audited the other _get_ram_ptr() > uses (yet). Eventually we could rename it _get_ram_ptr_unsafe > and add a safer helper which checks for overrun. This is now CVE-2022-4144. Please add proper "Fixes:" tag, if possible. Thank you for the fix. > Worth considering for 7.2? > > Regards, > > Phil. > > Philippe Mathieu-Daudé (4): > hw/display/qxl: Have qxl_log_command Return early if no log_cmd > handler > hw/display/qxl: Document qxl_phys2virt() > hw/display/qxl: Pass qxl_phys2virt size > hw/display/qxl: Avoid buffer overrun in qxl_phys2virt() > > hw/display/qxl-logger.c | 22 +++--- > hw/display/qxl-render.c | 11 +++ > hw/display/qxl.c| 25 +++-- > hw/display/qxl.h| 23 ++- > 4 files changed, 67 insertions(+), 14 deletions(-) > > -- > 2.38.1 > -- Mauro Matteo Cascella Red Hat Product Security PGP-Key ID: BB3410B0
[RFC PATCH-for-7.2 0/4] hw/display/qxl: Avoid buffer overrun in qxl_phys2virt()
memory_region_get_ram_ptr() returns a host pointer for a MemoryRegion. Sometimes we do offset calculation using this pointer without checking the underlying MemoryRegion size. Wenxu Yin reported a buffer overrun in QXL. This series aims to fix it. I haven't audited the other _get_ram_ptr() uses (yet). Eventually we could rename it _get_ram_ptr_unsafe and add a safer helper which checks for overrun. Worth considering for 7.2? Regards, Phil. Philippe Mathieu-Daudé (4): hw/display/qxl: Have qxl_log_command Return early if no log_cmd handler hw/display/qxl: Document qxl_phys2virt() hw/display/qxl: Pass qxl_phys2virt size hw/display/qxl: Avoid buffer overrun in qxl_phys2virt() hw/display/qxl-logger.c | 22 +++--- hw/display/qxl-render.c | 11 +++ hw/display/qxl.c| 25 +++-- hw/display/qxl.h| 23 ++- 4 files changed, 67 insertions(+), 14 deletions(-) -- 2.38.1