Message ID | adamy0rvo5l.fsf_-_@roland-alpha.cisco.com |
---|---|
State | New |
Headers | show |
On 01/05/2010 10:43 PM, Roland Dreier wrote: > Check that the cursor dimensions passed from the guest for the > DEFINE_CURSOR command don't overflow the available space in the > cursor.image[] or cursor.mask[] arrays before copying data from the > guest into those arrays. > > Signed-off-by: Roland Dreier<rolandd@cisco.com> > Applied. Thanks. Regards, Anthony Liguori > --- > Hi Anthony, > > as far as I can tell this seems to have slipped through the cracks. I > think this is fairly important: it is a guest-triggerable stack smashing > attack in the worst case. > > Thanks, > Roland > > hw/vmware_vga.c | 7 +++++++ > 1 files changed, 7 insertions(+), 0 deletions(-) > > diff --git a/hw/vmware_vga.c b/hw/vmware_vga.c > index 7ab1c79..5e969ae 100644 > --- a/hw/vmware_vga.c > +++ b/hw/vmware_vga.c > @@ -562,6 +562,13 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s) > cursor.height = y = vmsvga_fifo_read(s); > vmsvga_fifo_read(s); > cursor.bpp = vmsvga_fifo_read(s); > + > + if (SVGA_BITMAP_SIZE(x, y)> sizeof cursor.mask || > + SVGA_PIXMAP_SIZE(x, y, cursor.bpp)> sizeof cursor.image) { > + args = SVGA_BITMAP_SIZE(x, y) + SVGA_PIXMAP_SIZE(x, y, cursor.bpp); > + goto badcmd; > + } > + > for (args = 0; args< SVGA_BITMAP_SIZE(x, y); args ++) > cursor.mask[args] = vmsvga_fifo_read_raw(s); > for (args = 0; args< SVGA_PIXMAP_SIZE(x, y, cursor.bpp); args ++) > > > >
diff --git a/hw/vmware_vga.c b/hw/vmware_vga.c index 7ab1c79..5e969ae 100644 --- a/hw/vmware_vga.c +++ b/hw/vmware_vga.c @@ -562,6 +562,13 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s) cursor.height = y = vmsvga_fifo_read(s); vmsvga_fifo_read(s); cursor.bpp = vmsvga_fifo_read(s); + + if (SVGA_BITMAP_SIZE(x, y) > sizeof cursor.mask || + SVGA_PIXMAP_SIZE(x, y, cursor.bpp) > sizeof cursor.image) { + args = SVGA_BITMAP_SIZE(x, y) + SVGA_PIXMAP_SIZE(x, y, cursor.bpp); + goto badcmd; + } + for (args = 0; args < SVGA_BITMAP_SIZE(x, y); args ++) cursor.mask[args] = vmsvga_fifo_read_raw(s); for (args = 0; args < SVGA_PIXMAP_SIZE(x, y, cursor.bpp); args ++)
Check that the cursor dimensions passed from the guest for the DEFINE_CURSOR command don't overflow the available space in the cursor.image[] or cursor.mask[] arrays before copying data from the guest into those arrays. Signed-off-by: Roland Dreier <rolandd@cisco.com> --- Hi Anthony, as far as I can tell this seems to have slipped through the cracks. I think this is fairly important: it is a guest-triggerable stack smashing attack in the worst case. Thanks, Roland hw/vmware_vga.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-)