summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSona Sarmadi <sona.sarmadi@enea.com>2016-05-02 07:33:24 (GMT)
committerTudor Florea <tudor.florea@enea.com>2016-05-03 14:05:46 (GMT)
commit3291d1de776eb008e665746f93a65aa90f8750ce (patch)
tree4c22931054b90d7e0a719a33c422efd1c4390988
parentd3d0c7af34b996b4518b26d4f3b4eff831a651af (diff)
downloadpoky-3291d1de776eb008e665746f93a65aa90f8750ce.tar.gz
qemu: ui: vnc: CVE-2015-5225
Fixes heap memory corruption in vnc_refresh_server_surface. Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5225 Reference to upstream patch: http://git.qemu.org/?p=qemu.git;a=commit;h=efec4dcd2552e85ed57f276b58f09fc385727450 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Tudor Florea <tudor.florea@enea.com>
-rw-r--r--meta/recipes-devtools/qemu/qemu/vnc-CVE-2015-5225.patch88
-rw-r--r--meta/recipes-devtools/qemu/qemu_2.4.0.bb1
2 files changed, 89 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/vnc-CVE-2015-5225.patch b/meta/recipes-devtools/qemu/qemu/vnc-CVE-2015-5225.patch
new file mode 100644
index 0000000..262c2b9
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/vnc-CVE-2015-5225.patch
@@ -0,0 +1,88 @@
1From efec4dcd2552e85ed57f276b58f09fc385727450 Mon Sep 17 00:00:00 2001
2From: Gerd Hoffmann <kraxel@redhat.com>
3Date: Mon, 17 Aug 2015 19:56:53 +0200
4Subject: [PATCH] vnc: fix memory corruption (CVE-2015-5225)
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9The _cmp_bytes variable added by commit "bea60dd ui/vnc: fix potential
10memory corruption issues" can become negative. Result is (possibly
11exploitable) memory corruption. Reason for that is it uses the stride
12instead of bytes per scanline to apply limits.
13
14For the server surface is is actually fine. vnc creates that itself,
15there is never any padding and thus scanline length always equals stride.
16
17For the guest surface scanline length and stride are typically identical
18too, but it doesn't has to be that way. So add and use a new variable
19(guest_ll) for the guest scanline length. Also rename min_stride to
20line_bytes to make more clear what it actually is. Finally sprinkle
21in an assert() to make sure we never use a negative _cmp_bytes again.
22
23CVE: CVE-2015-5225
24Upstream-Status: Backport
25
26Reported-by: 范祚至(库特) <zuozhi.fzz@alibaba-inc.com>
27Reviewed-by: P J P <ppandit@redhat.com>
28Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
29(cherry picked from commit eb8934b0418b3b1d125edddc4fc334a54334a49b)
30Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
31Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
32---
33 ui/vnc.c | 15 ++++++++++-----
34 1 file changed, 10 insertions(+), 5 deletions(-)
35
36diff --git a/ui/vnc.c b/ui/vnc.c
37index e26973a..caf82f5 100644
38--- a/ui/vnc.c
39+++ b/ui/vnc.c
40@@ -2872,7 +2872,7 @@ static int vnc_refresh_server_surface(VncDisplay *vd)
41 pixman_image_get_width(vd->server));
42 int height = MIN(pixman_image_get_height(vd->guest.fb),
43 pixman_image_get_height(vd->server));
44- int cmp_bytes, server_stride, min_stride, guest_stride, y = 0;
45+ int cmp_bytes, server_stride, line_bytes, guest_ll, guest_stride, y = 0;
46 uint8_t *guest_row0 = NULL, *server_row0;
47 VncState *vs;
48 int has_dirty = 0;
49@@ -2891,17 +2891,21 @@ static int vnc_refresh_server_surface(VncDisplay *vd)
50 * Update server dirty map.
51 */
52 server_row0 = (uint8_t *)pixman_image_get_data(vd->server);
53- server_stride = guest_stride = pixman_image_get_stride(vd->server);
54+ server_stride = guest_stride = guest_ll =
55+ pixman_image_get_stride(vd->server);
56 cmp_bytes = MIN(VNC_DIRTY_PIXELS_PER_BIT * VNC_SERVER_FB_BYTES,
57 server_stride);
58 if (vd->guest.format != VNC_SERVER_FB_FORMAT) {
59 int width = pixman_image_get_width(vd->server);
60 tmpbuf = qemu_pixman_linebuf_create(VNC_SERVER_FB_FORMAT, width);
61 } else {
62+ int guest_bpp =
63+ PIXMAN_FORMAT_BPP(pixman_image_get_format(vd->guest.fb));
64 guest_row0 = (uint8_t *)pixman_image_get_data(vd->guest.fb);
65 guest_stride = pixman_image_get_stride(vd->guest.fb);
66+ guest_ll = pixman_image_get_width(vd->guest.fb) * ((guest_bpp + 7) / 8);
67 }
68- min_stride = MIN(server_stride, guest_stride);
69+ line_bytes = MIN(server_stride, guest_ll);
70
71 for (;;) {
72 int x;
73@@ -2932,9 +2936,10 @@ static int vnc_refresh_server_surface(VncDisplay *vd)
74 if (!test_and_clear_bit(x, vd->guest.dirty[y])) {
75 continue;
76 }
77- if ((x + 1) * cmp_bytes > min_stride) {
78- _cmp_bytes = min_stride - x * cmp_bytes;
79+ if ((x + 1) * cmp_bytes > line_bytes) {
80+ _cmp_bytes = line_bytes - x * cmp_bytes;
81 }
82+ assert(_cmp_bytes >= 0);
83 if (memcmp(server_ptr, guest_ptr, _cmp_bytes) == 0) {
84 continue;
85 }
86--
871.9.1
88
diff --git a/meta/recipes-devtools/qemu/qemu_2.4.0.bb b/meta/recipes-devtools/qemu/qemu_2.4.0.bb
index 8d47b16..444fb02 100644
--- a/meta/recipes-devtools/qemu/qemu_2.4.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_2.4.0.bb
@@ -20,6 +20,7 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
20 file://CVE-2015-7295_3.patch \ 20 file://CVE-2015-7295_3.patch \
21 file://CVE-2016-2197.patch \ 21 file://CVE-2016-2197.patch \
22 file://CVE-2016-2198.patch \ 22 file://CVE-2016-2198.patch \
23 file://vnc-CVE-2015-5225.patch \
23 " 24 "
24SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2" 25SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"
25SRC_URI[md5sum] = "186ee8194140a484a455f8e3c74589f4" 26SRC_URI[md5sum] = "186ee8194140a484a455f8e3c74589f4"