From patchwork Sun Dec 20 18:06:06 2009
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Roland Dreier <rdreier@cisco.com>
X-Patchwork-Id: 41512
Return-Path: <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from lists.gnu.org (lists.gnu.org [199.232.76.165])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client did not present a certificate)
	by ozlabs.org (Postfix) with ESMTPS id 2120BB6F10
	for <incoming@patchwork.ozlabs.org>;
	Mon, 21 Dec 2009 05:09:52 +1100 (EST)
Received: from localhost ([127.0.0.1]:55001 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1NMQE1-0002kJ-0J
	for incoming@patchwork.ozlabs.org; Sun, 20 Dec 2009 13:09:49 -0500
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1NMQAZ-0001V9-NC
	for qemu-devel@nongnu.org; Sun, 20 Dec 2009 13:06:15 -0500
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1NMQAV-0001S8-2v
	for qemu-devel@nongnu.org; Sun, 20 Dec 2009 13:06:15 -0500
Received: from [199.232.76.173] (port=57905 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1NMQAU-0001Rt-Lc
	for qemu-devel@nongnu.org; Sun, 20 Dec 2009 13:06:10 -0500
Received: from sj-iport-1.cisco.com ([171.71.176.70]:6251)
	by monty-python.gnu.org with esmtps (TLS-1.0:RSA_ARCFOUR_SHA1:16)
	(Exim 4.60) (envelope-from <rdreier@cisco.com>) id 1NMQAU-00077I-1W
	for qemu-devel@nongnu.org; Sun, 20 Dec 2009 13:06:10 -0500
Authentication-Results: sj-iport-1.cisco.com;
	dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: ApoEAN71LUurR7H+/2dsb2JhbAC8YpUzhC4E
X-IronPort-AV: E=Sophos;i="4.47,428,1257120000"; d="scan'208";a="281792304"
Received: from sj-core-2.cisco.com ([171.71.177.254])
	by sj-iport-1.cisco.com with ESMTP; 20 Dec 2009 18:06:07 +0000
Received: from xbh-sjc-221.amer.cisco.com (xbh-sjc-221.cisco.com
	[128.107.191.63])
	by sj-core-2.cisco.com (8.13.8/8.14.3) with ESMTP id nBKI67Oa027275;
	Sun, 20 Dec 2009 18:06:07 GMT
Received: from xfe-sjc-212.amer.cisco.com ([171.70.151.187]) by
	xbh-sjc-221.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.3959);
	Sun, 20 Dec 2009 10:06:07 -0800
Received: from roland-alpha.cisco.com ([10.33.42.9]) by
	xfe-sjc-212.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.3959);
	Sun, 20 Dec 2009 10:06:06 -0800
Received: by roland-alpha.cisco.com (Postfix, from userid 33217)
	id 72F8B1FD0B; Sun, 20 Dec 2009 10:06:06 -0800 (PST)
From: Roland Dreier <rdreier@cisco.com>
To: Anthony Liguori <anthony@codemonkey.ws>
References: <adatyvp44ov.fsf@roland-alpha.cisco.com>
	<4B2AB1F2.3060507@codemonkey.ws>
	<adaljh1441g.fsf@roland-alpha.cisco.com>
	<4B2AB549.7090209@codemonkey.ws>
X-Message-Flag: Warning: May contain useful information
Date: Sun, 20 Dec 2009 10:06:06 -0800
In-Reply-To: <4B2AB549.7090209@codemonkey.ws> (Anthony Liguori's message of
	"Thu, 17 Dec 2009 16:48:41 -0600")
Message-ID: <aday6kx1pwx.fsf@roland-alpha.cisco.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.1 (gnu/linux)
MIME-Version: 1.0
X-OriginalArrivalTime: 20 Dec 2009 18:06:06.0667 (UTC)
	FILETIME=[19D541B0:01CA819F]
X-detected-operating-system: by monty-python.gnu.org: Genre and OS details
	not recognized.
Cc: Dave Airlie <airlied@gmail.com>, qemu-devel@nongnu.org
Subject: [Qemu-devel] Re: [PATCH to consider for 0.12] vmware_vga: Don't
	crash on too-big DEFINE_CURSOR command
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org
Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org

I see that you applied Dave's series, no worries on that, but I think we
really want the following, since a clever enough malicious guest can
probably turn the overrun into code execution in the host QEMU (though
I've not tried writing an exploit or anything like that)... not sure if
this merits the whole CVE process but it does look very much worth
fixing, and probably the other guest commands want auditing too...

===
vmware_vga: Check cursor dimensions passed from guest to avoid buffer overflow

Check that the cursor dimensions passed from the guest for the
DEFINE_CURSOR command don't overflow the available space in the
cursor.image[] or cursor.mask[] arrays before copying data from the
guest into those arrays.

Signed-off-by: Roland Dreier <rolandd@cisco.com>
---
 hw/vmware_vga.c |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)

diff --git a/hw/vmware_vga.c b/hw/vmware_vga.c
index 7ab1c79..5e969ae 100644
--- a/hw/vmware_vga.c
+++ b/hw/vmware_vga.c
@@ -562,6 +562,13 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
             cursor.height = y = vmsvga_fifo_read(s);
             vmsvga_fifo_read(s);
             cursor.bpp = vmsvga_fifo_read(s);
+
+	    if (SVGA_BITMAP_SIZE(x, y) > sizeof cursor.mask ||
+		SVGA_PIXMAP_SIZE(x, y, cursor.bpp) > sizeof cursor.image) {
+		    args = SVGA_BITMAP_SIZE(x, y) + SVGA_PIXMAP_SIZE(x, y, cursor.bpp);
+		    goto badcmd;
+	    }
+
             for (args = 0; args < SVGA_BITMAP_SIZE(x, y); args ++)
                 cursor.mask[args] = vmsvga_fifo_read_raw(s);
             for (args = 0; args < SVGA_PIXMAP_SIZE(x, y, cursor.bpp); args ++)