diff options
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/CVE-2022-4144.patch')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2022-4144.patch | 103 |
1 files changed, 103 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-4144.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-4144.patch new file mode 100644 index 0000000000..3f0d5fbd5c --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-4144.patch | |||
@@ -0,0 +1,103 @@ | |||
1 | From 6dbbf055148c6f1b7d8a3251a65bd6f3d1e1f622 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org> | ||
3 | Date: Mon, 28 Nov 2022 21:27:40 +0100 | ||
4 | Subject: [PATCH] hw/display/qxl: Avoid buffer overrun in qxl_phys2virt | ||
5 | (CVE-2022-4144) | ||
6 | MIME-Version: 1.0 | ||
7 | Content-Type: text/plain; charset=UTF-8 | ||
8 | Content-Transfer-Encoding: 8bit | ||
9 | |||
10 | Have qxl_get_check_slot_offset() return false if the requested | ||
11 | buffer size does not fit within the slot memory region. | ||
12 | |||
13 | Similarly qxl_phys2virt() now returns NULL in such case, and | ||
14 | qxl_dirty_one_surface() aborts. | ||
15 | |||
16 | This avoids buffer overrun in the host pointer returned by | ||
17 | memory_region_get_ram_ptr(). | ||
18 | |||
19 | Fixes: CVE-2022-4144 (out-of-bounds read) | ||
20 | Reported-by: Wenxu Yin (@awxylitol) | ||
21 | Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1336 | ||
22 | |||
23 | Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> | ||
24 | Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> | ||
25 | Message-Id: <20221128202741.4945-5-philmd@linaro.org> | ||
26 | |||
27 | Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/6dbbf055148c6f1b7d8a3251a65bd6f3d1e1f622] | ||
28 | CVE: CVE-2022-4144 | ||
29 | Comments: Deleted patch hunk in qxl.h,as it contains change | ||
30 | in comments which is not present in current version of qemu. | ||
31 | |||
32 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
33 | --- | ||
34 | hw/display/qxl.c | 27 +++++++++++++++++++++++---- | ||
35 | 1 file changed, 23 insertions(+), 4 deletions(-) | ||
36 | |||
37 | diff --git a/hw/display/qxl.c b/hw/display/qxl.c | ||
38 | index cd7eb39d..6bc8385b 100644 | ||
39 | --- a/hw/display/qxl.c | ||
40 | +++ b/hw/display/qxl.c | ||
41 | @@ -1440,11 +1440,13 @@ static void qxl_reset_surfaces(PCIQXLDevice *d) | ||
42 | |||
43 | /* can be also called from spice server thread context */ | ||
44 | static bool qxl_get_check_slot_offset(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, | ||
45 | - uint32_t *s, uint64_t *o) | ||
46 | + uint32_t *s, uint64_t *o, | ||
47 | + size_t size_requested) | ||
48 | { | ||
49 | uint64_t phys = le64_to_cpu(pqxl); | ||
50 | uint32_t slot = (phys >> (64 - 8)) & 0xff; | ||
51 | uint64_t offset = phys & 0xffffffffffff; | ||
52 | + uint64_t size_available; | ||
53 | |||
54 | if (slot >= NUM_MEMSLOTS) { | ||
55 | qxl_set_guest_bug(qxl, "slot too large %d >= %d", slot, | ||
56 | @@ -1468,6 +1470,23 @@ static bool qxl_get_check_slot_offset(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, | ||
57 | slot, offset, qxl->guest_slots[slot].size); | ||
58 | return false; | ||
59 | } | ||
60 | + size_available = memory_region_size(qxl->guest_slots[slot].mr); | ||
61 | + if (qxl->guest_slots[slot].offset + offset >= size_available) { | ||
62 | + qxl_set_guest_bug(qxl, | ||
63 | + "slot %d offset %"PRIu64" > region size %"PRIu64"\n", | ||
64 | + slot, qxl->guest_slots[slot].offset + offset, | ||
65 | + size_available); | ||
66 | + return false; | ||
67 | + } | ||
68 | + size_available -= qxl->guest_slots[slot].offset + offset; | ||
69 | + if (size_requested > size_available) { | ||
70 | + qxl_set_guest_bug(qxl, | ||
71 | + "slot %d offset %"PRIu64" size %zu: " | ||
72 | + "overrun by %"PRIu64" bytes\n", | ||
73 | + slot, offset, size_requested, | ||
74 | + size_requested - size_available); | ||
75 | + return false; | ||
76 | + } | ||
77 | |||
78 | *s = slot; | ||
79 | *o = offset; | ||
80 | @@ -1486,7 +1505,7 @@ void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, int group_id) | ||
81 | offset = le64_to_cpu(pqxl) & 0xffffffffffff; | ||
82 | return (void *)(intptr_t)offset; | ||
83 | case MEMSLOT_GROUP_GUEST: | ||
84 | - if (!qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset)) { | ||
85 | + if (!qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset, size)) { | ||
86 | return NULL; | ||
87 | } | ||
88 | ptr = memory_region_get_ram_ptr(qxl->guest_slots[slot].mr); | ||
89 | @@ -1944,9 +1963,9 @@ static void qxl_dirty_one_surface(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, | ||
90 | uint32_t slot; | ||
91 | bool rc; | ||
92 | |||
93 | - rc = qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset); | ||
94 | - assert(rc == true); | ||
95 | size = (uint64_t)height * abs(stride); | ||
96 | + rc = qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset, size); | ||
97 | + assert(rc == true); | ||
98 | trace_qxl_surfaces_dirty(qxl->id, offset, size); | ||
99 | qxl_set_dirty(qxl->guest_slots[slot].mr, | ||
100 | qxl->guest_slots[slot].offset + offset, | ||
101 | -- | ||
102 | 2.25.1 | ||
103 | |||