diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2016-05-02 09:33:24 +0200 |
---|---|---|
committer | Tudor Florea <tudor.florea@enea.com> | 2016-05-03 16:05:46 +0200 |
commit | 3291d1de776eb008e665746f93a65aa90f8750ce (patch) | |
tree | 4c22931054b90d7e0a719a33c422efd1c4390988 | |
parent | d3d0c7af34b996b4518b26d4f3b4eff831a651af (diff) | |
download | poky-3291d1de776eb008e665746f93a65aa90f8750ce.tar.gz |
qemu: ui: vnc: CVE-2015-5225
Fixes heap memory corruption in vnc_refresh_server_surface.
Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5225
Reference to upstream patch:
http://git.qemu.org/?p=qemu.git;a=commit;h=efec4dcd2552e85ed57f276b58f09fc385727450
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Tudor Florea <tudor.florea@enea.com>
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/vnc-CVE-2015-5225.patch | 88 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu_2.4.0.bb | 1 |
2 files changed, 89 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/vnc-CVE-2015-5225.patch b/meta/recipes-devtools/qemu/qemu/vnc-CVE-2015-5225.patch new file mode 100644 index 0000000000..262c2b9871 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/vnc-CVE-2015-5225.patch | |||
@@ -0,0 +1,88 @@ | |||
1 | From efec4dcd2552e85ed57f276b58f09fc385727450 Mon Sep 17 00:00:00 2001 | ||
2 | From: Gerd Hoffmann <kraxel@redhat.com> | ||
3 | Date: Mon, 17 Aug 2015 19:56:53 +0200 | ||
4 | Subject: [PATCH] vnc: fix memory corruption (CVE-2015-5225) | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | The _cmp_bytes variable added by commit "bea60dd ui/vnc: fix potential | ||
10 | memory corruption issues" can become negative. Result is (possibly | ||
11 | exploitable) memory corruption. Reason for that is it uses the stride | ||
12 | instead of bytes per scanline to apply limits. | ||
13 | |||
14 | For the server surface is is actually fine. vnc creates that itself, | ||
15 | there is never any padding and thus scanline length always equals stride. | ||
16 | |||
17 | For the guest surface scanline length and stride are typically identical | ||
18 | too, but it doesn't has to be that way. So add and use a new variable | ||
19 | (guest_ll) for the guest scanline length. Also rename min_stride to | ||
20 | line_bytes to make more clear what it actually is. Finally sprinkle | ||
21 | in an assert() to make sure we never use a negative _cmp_bytes again. | ||
22 | |||
23 | CVE: CVE-2015-5225 | ||
24 | Upstream-Status: Backport | ||
25 | |||
26 | Reported-by: 范祚至(库特) <zuozhi.fzz@alibaba-inc.com> | ||
27 | Reviewed-by: P J P <ppandit@redhat.com> | ||
28 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
29 | (cherry picked from commit eb8934b0418b3b1d125edddc4fc334a54334a49b) | ||
30 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
31 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
32 | --- | ||
33 | ui/vnc.c | 15 ++++++++++----- | ||
34 | 1 file changed, 10 insertions(+), 5 deletions(-) | ||
35 | |||
36 | diff --git a/ui/vnc.c b/ui/vnc.c | ||
37 | index e26973a..caf82f5 100644 | ||
38 | --- a/ui/vnc.c | ||
39 | +++ b/ui/vnc.c | ||
40 | @@ -2872,7 +2872,7 @@ static int vnc_refresh_server_surface(VncDisplay *vd) | ||
41 | pixman_image_get_width(vd->server)); | ||
42 | int height = MIN(pixman_image_get_height(vd->guest.fb), | ||
43 | pixman_image_get_height(vd->server)); | ||
44 | - int cmp_bytes, server_stride, min_stride, guest_stride, y = 0; | ||
45 | + int cmp_bytes, server_stride, line_bytes, guest_ll, guest_stride, y = 0; | ||
46 | uint8_t *guest_row0 = NULL, *server_row0; | ||
47 | VncState *vs; | ||
48 | int has_dirty = 0; | ||
49 | @@ -2891,17 +2891,21 @@ static int vnc_refresh_server_surface(VncDisplay *vd) | ||
50 | * Update server dirty map. | ||
51 | */ | ||
52 | server_row0 = (uint8_t *)pixman_image_get_data(vd->server); | ||
53 | - server_stride = guest_stride = pixman_image_get_stride(vd->server); | ||
54 | + server_stride = guest_stride = guest_ll = | ||
55 | + pixman_image_get_stride(vd->server); | ||
56 | cmp_bytes = MIN(VNC_DIRTY_PIXELS_PER_BIT * VNC_SERVER_FB_BYTES, | ||
57 | server_stride); | ||
58 | if (vd->guest.format != VNC_SERVER_FB_FORMAT) { | ||
59 | int width = pixman_image_get_width(vd->server); | ||
60 | tmpbuf = qemu_pixman_linebuf_create(VNC_SERVER_FB_FORMAT, width); | ||
61 | } else { | ||
62 | + int guest_bpp = | ||
63 | + PIXMAN_FORMAT_BPP(pixman_image_get_format(vd->guest.fb)); | ||
64 | guest_row0 = (uint8_t *)pixman_image_get_data(vd->guest.fb); | ||
65 | guest_stride = pixman_image_get_stride(vd->guest.fb); | ||
66 | + guest_ll = pixman_image_get_width(vd->guest.fb) * ((guest_bpp + 7) / 8); | ||
67 | } | ||
68 | - min_stride = MIN(server_stride, guest_stride); | ||
69 | + line_bytes = MIN(server_stride, guest_ll); | ||
70 | |||
71 | for (;;) { | ||
72 | int x; | ||
73 | @@ -2932,9 +2936,10 @@ static int vnc_refresh_server_surface(VncDisplay *vd) | ||
74 | if (!test_and_clear_bit(x, vd->guest.dirty[y])) { | ||
75 | continue; | ||
76 | } | ||
77 | - if ((x + 1) * cmp_bytes > min_stride) { | ||
78 | - _cmp_bytes = min_stride - x * cmp_bytes; | ||
79 | + if ((x + 1) * cmp_bytes > line_bytes) { | ||
80 | + _cmp_bytes = line_bytes - x * cmp_bytes; | ||
81 | } | ||
82 | + assert(_cmp_bytes >= 0); | ||
83 | if (memcmp(server_ptr, guest_ptr, _cmp_bytes) == 0) { | ||
84 | continue; | ||
85 | } | ||
86 | -- | ||
87 | 1.9.1 | ||
88 | |||
diff --git a/meta/recipes-devtools/qemu/qemu_2.4.0.bb b/meta/recipes-devtools/qemu/qemu_2.4.0.bb index 8d47b16e64..444fb02e47 100644 --- a/meta/recipes-devtools/qemu/qemu_2.4.0.bb +++ b/meta/recipes-devtools/qemu/qemu_2.4.0.bb | |||
@@ -20,6 +20,7 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \ | |||
20 | file://CVE-2015-7295_3.patch \ | 20 | file://CVE-2015-7295_3.patch \ |
21 | file://CVE-2016-2197.patch \ | 21 | file://CVE-2016-2197.patch \ |
22 | file://CVE-2016-2198.patch \ | 22 | file://CVE-2016-2198.patch \ |
23 | file://vnc-CVE-2015-5225.patch \ | ||
23 | " | 24 | " |
24 | SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2" | 25 | SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2" |
25 | SRC_URI[md5sum] = "186ee8194140a484a455f8e3c74589f4" | 26 | SRC_URI[md5sum] = "186ee8194140a484a455f8e3c74589f4" |