diff options
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch | 89 |
1 files changed, 89 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch new file mode 100644 index 0000000000..80ad49e4ed --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch | |||
@@ -0,0 +1,89 @@ | |||
1 | From fa892e9abb728e76afcf27323ab29c57fb0fe7aa Mon Sep 17 00:00:00 2001 | ||
2 | From: Mauro Matteo Cascella <mcascell@redhat.com> | ||
3 | Date: Thu, 7 Apr 2022 10:17:12 +0200 | ||
4 | Subject: [PATCH] ui/cursor: fix integer overflow in cursor_alloc | ||
5 | (CVE-2021-4206) | ||
6 | MIME-Version: 1.0 | ||
7 | Content-Type: text/plain; charset=UTF-8 | ||
8 | Content-Transfer-Encoding: 8bit | ||
9 | |||
10 | Prevent potential integer overflow by limiting 'width' and 'height' to | ||
11 | 512x512. Also change 'datasize' type to size_t. Refer to security | ||
12 | advisory https://starlabs.sg/advisories/22-4206/ for more information. | ||
13 | |||
14 | Fixes: CVE-2021-4206 | ||
15 | Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> | ||
16 | Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> | ||
17 | Message-Id: <20220407081712.345609-1-mcascell@redhat.com> | ||
18 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
19 | |||
20 | https://gitlab.com/qemu-project/qemu/-/commit/fa892e9a | ||
21 | CVE: CVE-2021-4206 | ||
22 | Upstream-Status: Backport | ||
23 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
24 | --- | ||
25 | hw/display/qxl-render.c | 7 +++++++ | ||
26 | hw/display/vmware_vga.c | 2 ++ | ||
27 | ui/cursor.c | 8 +++++++- | ||
28 | 3 files changed, 16 insertions(+), 1 deletion(-) | ||
29 | |||
30 | diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c | ||
31 | index 237ed293ba..ca217004bf 100644 | ||
32 | --- a/hw/display/qxl-render.c | ||
33 | +++ b/hw/display/qxl-render.c | ||
34 | @@ -247,6 +247,13 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor, | ||
35 | size_t size; | ||
36 | |||
37 | c = cursor_alloc(cursor->header.width, cursor->header.height); | ||
38 | + | ||
39 | + if (!c) { | ||
40 | + qxl_set_guest_bug(qxl, "%s: cursor %ux%u alloc error", __func__, | ||
41 | + cursor->header.width, cursor->header.height); | ||
42 | + goto fail; | ||
43 | + } | ||
44 | + | ||
45 | c->hot_x = cursor->header.hot_spot_x; | ||
46 | c->hot_y = cursor->header.hot_spot_y; | ||
47 | switch (cursor->header.type) { | ||
48 | diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c | ||
49 | index 98c83474ad..45d06cbe25 100644 | ||
50 | --- a/hw/display/vmware_vga.c | ||
51 | +++ b/hw/display/vmware_vga.c | ||
52 | @@ -515,6 +515,8 @@ static inline void vmsvga_cursor_define(struct vmsvga_state_s *s, | ||
53 | int i, pixels; | ||
54 | |||
55 | qc = cursor_alloc(c->width, c->height); | ||
56 | + assert(qc != NULL); | ||
57 | + | ||
58 | qc->hot_x = c->hot_x; | ||
59 | qc->hot_y = c->hot_y; | ||
60 | switch (c->bpp) { | ||
61 | diff --git a/ui/cursor.c b/ui/cursor.c | ||
62 | index 1d62ddd4d0..835f0802f9 100644 | ||
63 | --- a/ui/cursor.c | ||
64 | +++ b/ui/cursor.c | ||
65 | @@ -46,6 +46,8 @@ static QEMUCursor *cursor_parse_xpm(const char *xpm[]) | ||
66 | |||
67 | /* parse pixel data */ | ||
68 | c = cursor_alloc(width, height); | ||
69 | + assert(c != NULL); | ||
70 | + | ||
71 | for (pixel = 0, y = 0; y < height; y++, line++) { | ||
72 | for (x = 0; x < height; x++, pixel++) { | ||
73 | idx = xpm[line][x]; | ||
74 | @@ -91,7 +93,11 @@ QEMUCursor *cursor_builtin_left_ptr(void) | ||
75 | QEMUCursor *cursor_alloc(int width, int height) | ||
76 | { | ||
77 | QEMUCursor *c; | ||
78 | - int datasize = width * height * sizeof(uint32_t); | ||
79 | + size_t datasize = width * height * sizeof(uint32_t); | ||
80 | + | ||
81 | + if (width > 512 || height > 512) { | ||
82 | + return NULL; | ||
83 | + } | ||
84 | |||
85 | c = g_malloc0(sizeof(QEMUCursor) + datasize); | ||
86 | c->width = width; | ||
87 | -- | ||
88 | GitLab | ||
89 | |||