From patchwork Wed Jan  6 04:43:34 2010
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Roland Dreier <rdreier@cisco.com>
X-Patchwork-Id: 42279
Return-Path: <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from lists.gnu.org (lists.gnu.org [199.232.76.165])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client did not present a certificate)
	by ozlabs.org (Postfix) with ESMTPS id 83504B6EF4
	for <incoming@patchwork.ozlabs.org>;
	Wed,  6 Jan 2010 15:44:19 +1100 (EST)
Received: from localhost ([127.0.0.1]:43789 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1NSNkm-0000Cw-8H
	for incoming@patchwork.ozlabs.org; Tue, 05 Jan 2010 23:44:16 -0500
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1NSNkH-0000CP-9s
	for qemu-devel@nongnu.org; Tue, 05 Jan 2010 23:43:45 -0500
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1NSNkB-00008O-IC
	for qemu-devel@nongnu.org; Tue, 05 Jan 2010 23:43:43 -0500
Received: from [199.232.76.173] (port=60170 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1NSNkB-00008F-EK
	for qemu-devel@nongnu.org; Tue, 05 Jan 2010 23:43:39 -0500
Received: from sj-iport-4.cisco.com ([171.68.10.86]:39373)
	by monty-python.gnu.org with esmtps (TLS-1.0:RSA_ARCFOUR_SHA1:16)
	(Exim 4.60) (envelope-from <rdreier@cisco.com>) id 1NSNkA-0007bR-Sz
	for qemu-devel@nongnu.org; Tue, 05 Jan 2010 23:43:39 -0500
Authentication-Results: sj-iport-4.cisco.com;
	dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: ApoEABqkQ0urRN+K/2dsb2JhbAC/KpRHhDAE
X-IronPort-AV: E=Sophos;i="4.49,226,1262563200"; d="scan'208";a="70600297"
Received: from sj-core-4.cisco.com ([171.68.223.138])
	by sj-iport-4.cisco.com with ESMTP; 06 Jan 2010 04:43:34 +0000
Received: from xbh-sjc-221.amer.cisco.com (xbh-sjc-221.cisco.com
	[128.107.191.63])
	by sj-core-4.cisco.com (8.13.8/8.14.3) with ESMTP id o064hYIi005910;
	Wed, 6 Jan 2010 04:43:34 GMT
Received: from xfe-sjc-212.amer.cisco.com ([171.70.151.187]) by
	xbh-sjc-221.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.3959);
	Tue, 5 Jan 2010 20:43:34 -0800
Received: from roland-alpha.cisco.com ([10.33.42.9]) by
	xfe-sjc-212.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.3959);
	Tue, 5 Jan 2010 20:43:34 -0800
Received: by roland-alpha.cisco.com (Postfix, from userid 33217)
	id 303151FE5C; Tue,  5 Jan 2010 20:43:34 -0800 (PST)
From: Roland Dreier <rdreier@cisco.com>
To: Anthony Liguori <anthony@codemonkey.ws>
References: <adatyvp44ov.fsf@roland-alpha.cisco.com>
	<4B2AB1F2.3060507@codemonkey.ws>
X-Message-Flag: Warning: May contain useful information
Date: Tue, 05 Jan 2010 20:43:34 -0800
In-Reply-To: <4B2AB1F2.3060507@codemonkey.ws> (Anthony Liguori's message of
	"Thu, 17 Dec 2009 16:34:26 -0600")
Message-ID: <adamy0rvo5l.fsf_-_@roland-alpha.cisco.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.1 (gnu/linux)
MIME-Version: 1.0
X-OriginalArrivalTime: 06 Jan 2010 04:43:34.0426 (UTC)
	FILETIME=[CDE21FA0:01CA8E8A]
X-detected-operating-system: by monty-python.gnu.org: Genre and OS details
	not recognized.
Cc: qemu-devel@nongnu.org
Subject: [Qemu-devel] [PATCH resend] vmware_vga: Check cursor dimensions
	passed from guest to avoid buffer overflow
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org
Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org

Check that the cursor dimensions passed from the guest for the
DEFINE_CURSOR command don't overflow the available space in the
cursor.image[] or cursor.mask[] arrays before copying data from the
guest into those arrays.

Signed-off-by: Roland Dreier <rolandd@cisco.com>
---
Hi Anthony,

as far as I can tell this seems to have slipped through the cracks.  I
think this is fairly important: it is a guest-triggerable stack smashing
attack in the worst case.

Thanks,
  Roland

 hw/vmware_vga.c |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)

diff --git a/hw/vmware_vga.c b/hw/vmware_vga.c
index 7ab1c79..5e969ae 100644
--- a/hw/vmware_vga.c
+++ b/hw/vmware_vga.c
@@ -562,6 +562,13 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
             cursor.height = y = vmsvga_fifo_read(s);
             vmsvga_fifo_read(s);
             cursor.bpp = vmsvga_fifo_read(s);
+
+	    if (SVGA_BITMAP_SIZE(x, y) > sizeof cursor.mask ||
+		SVGA_PIXMAP_SIZE(x, y, cursor.bpp) > sizeof cursor.image) {
+		    args = SVGA_BITMAP_SIZE(x, y) + SVGA_PIXMAP_SIZE(x, y, cursor.bpp);
+		    goto badcmd;
+	    }
+
             for (args = 0; args < SVGA_BITMAP_SIZE(x, y); args ++)
                 cursor.mask[args] = vmsvga_fifo_read_raw(s);
             for (args = 0; args < SVGA_PIXMAP_SIZE(x, y, cursor.bpp); args ++)