On Fri, Nov 25, 2022 at 4:40 PM Philippe Mathieu-Daudé
wrote:
>
> memory_region_get_ram_ptr() returns a host pointer for a
> MemoryRegion. Sometimes we do offset calculation using this
> pointer without checking the underlying MemoryRegion size.
>
> Wenxu Yin reported a buffer overrun in QXL. This series
> aims to fix it. I haven't audited the other _get_ram_ptr()
> uses (yet). Eventually we could rename it _get_ram_ptr_unsafe
> and add a safer helper which checks for overrun.
This is now CVE-2022-4144. Please add proper "Fixes:" tag, if possible.
Thank you for the fix.
> Worth considering for 7.2?
>
> Regards,
>
> Phil.
>
> Philippe Mathieu-Daudé (4):
> hw/display/qxl: Have qxl_log_command Return early if no log_cmd
> handler
> hw/display/qxl: Document qxl_phys2virt()
> hw/display/qxl: Pass qxl_phys2virt size
> hw/display/qxl: Avoid buffer overrun in qxl_phys2virt()
>
> hw/display/qxl-logger.c | 22 +++---
> hw/display/qxl-render.c | 11 +++
> hw/display/qxl.c| 25 +++--
> hw/display/qxl.h| 23 ++-
> 4 files changed, 67 insertions(+), 14 deletions(-)
>
> --
> 2.38.1
>
--
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0