[RFC,PATCH-for-7.2,v3,0/5] hw/display/qxl: Avoid buffer overrun in qxl_phys2virt()

Message ID	20221128202741.4945-1-philmd@linaro.org
Headers	show Return-Path: <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org> From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= <philmd@linaro.org> To: qemu-devel@nongnu.org, =?utf-8?q?Marc-Andr=C3=A9_Lureau?= <marcandre.lureau@redhat.com> Cc: Alexander Bulekov <alxndr@bu.edu>, Paolo Bonzini <pbonzini@redhat.com>, Gerd Hoffmann <kraxel@redhat.com>, Peter Maydell <peter.maydell@linaro.org>, Mauro Matteo Cascella <mcascell@redhat.com>, =?utf-8?q?Philippe_Mathieu-Dau?= =?utf-8?q?d=C3=A9?= <philmd@linaro.org> Subject: [RFC PATCH-for-7.2 v3 0/5] hw/display/qxl: Avoid buffer overrun in qxl_phys2virt() Date: Mon, 28 Nov 2022 21:27:36 +0100 Message-Id: <20221128202741.4945-1-philmd@linaro.org> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=2a00:1450:4864:20::333; envelope-from=philmd@linaro.org; helo=mail-wm1-x333.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action Precedence: list Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org
Series	hw/display/qxl: Avoid buffer overrun in qxl_phys2virt() \| expand [RFC,PATCH-for-7.2,v3,0/5] hw/display/qxl: Avoid buffer overrun in qxl_phys2virt() [PATCH-for-7.2,v3,1/5] hw/display/qxl: Have qxl_log_command Return early if no log_cmd handler [PATCH-for-7.2,v3,2/5] hw/display/qxl: Document qxl_phys2virt() [RFC,PATCH-for-7.2,v3,3/5] hw/display/qxl: Pass requested buffer size to qxl_phys2virt() [RFC,PATCH-for-7.2,v3,4/5] hw/display/qxl: Avoid buffer overrun in qxl_phys2virt (CVE-2022-4144) [PATCH-for-8.0,v3,5/5] hw/display/qxl: Assert memory slot fits in preallocated MemoryRegion

Message ID

20221128202741.4945-1-philmd@linaro.org

Headers

From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= <philmd@linaro.org>
To: qemu-devel@nongnu.org,
 =?utf-8?q?Marc-Andr=C3=A9_Lureau?= <marcandre.lureau@redhat.com>
Cc: Alexander Bulekov <alxndr@bu.edu>, Paolo Bonzini <pbonzini@redhat.com>,
 Gerd Hoffmann <kraxel@redhat.com>, Peter Maydell <peter.maydell@linaro.org>,
 Mauro Matteo Cascella <mcascell@redhat.com>, =?utf-8?q?Philippe_Mathieu-Dau?=
	=?utf-8?q?d=C3=A9?= <philmd@linaro.org>
Subject: [RFC PATCH-for-7.2 v3 0/5] hw/display/qxl: Avoid buffer overrun in
 qxl_phys2virt()
Date: Mon, 28 Nov 2022 21:27:36 +0100
Message-Id: <20221128202741.4945-1-philmd@linaro.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=2a00:1450:4864:20::333;
 envelope-from=philmd@linaro.org; helo=mail-wm1-x333.google.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org
Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org

Series

hw/display/qxl: Avoid buffer overrun in qxl_phys2virt() | expand

Message

Philippe Mathieu-Daudé Nov. 28, 2022, 8:27 p.m. UTC

Since v2:
- Do not abort checking guest-provided addresses (Stefan)
- Handle chunked QEMUCursor (Gerd)

Since v1:
- Moved overrun check in qxl_get_check_slot_offset (Marc-André)

memory_region_get_ram_ptr() returns a host pointer for a
MemoryRegion. Sometimes we do offset calculation using this
pointer without checking the underlying MemoryRegion size.

Wenxu Yin reported a buffer overrun in QXL. This series
aims to fix it. I haven't audited the other _get_ram_ptr()
uses (yet). Eventually we could rename it _get_ram_ptr_unsafe
and add a safer helper which checks for overrun.

Worth considering for 7.2?

Regards,

Phil.

Philippe Mathieu-Daudé (5):
  hw/display/qxl: Have qxl_log_command Return early if no log_cmd
    handler
  hw/display/qxl: Document qxl_phys2virt()
  hw/display/qxl: Pass requested buffer size to qxl_phys2virt()
  hw/display/qxl: Avoid buffer overrun in qxl_phys2virt (CVE-2022-4144)
  hw/display/qxl: Assert memory slot fits in preallocated MemoryRegion

 hw/display/qxl-logger.c | 22 ++++++++++++++++++---
 hw/display/qxl-render.c | 20 ++++++++++++++++----
 hw/display/qxl.c        | 42 ++++++++++++++++++++++++++++++++---------
 hw/display/qxl.h        | 23 +++++++++++++++++++++-
 4 files changed, 90 insertions(+), 17 deletions(-)

Comments

Stefan Hajnoczi Nov. 30, 2022, 7:45 p.m. UTC | #1

On Mon, 28 Nov 2022 at 15:30, Philippe Mathieu-Daudé <philmd@linaro.org> wrote:
>
> Since v2:
> - Do not abort checking guest-provided addresses (Stefan)
> - Handle chunked QEMUCursor (Gerd)
>
> Since v1:
> - Moved overrun check in qxl_get_check_slot_offset (Marc-André)
>
> memory_region_get_ram_ptr() returns a host pointer for a
> MemoryRegion. Sometimes we do offset calculation using this
> pointer without checking the underlying MemoryRegion size.
>
> Wenxu Yin reported a buffer overrun in QXL. This series
> aims to fix it. I haven't audited the other _get_ram_ptr()
> uses (yet). Eventually we could rename it _get_ram_ptr_unsafe
> and add a safer helper which checks for overrun.
>
> Worth considering for 7.2?

Merged, thanks!

Stefan