|
 |
5d360b |
From 5c99bd7a9de1f1a64d948776482ae7103091fac2 Mon Sep 17 00:00:00 2001
|
|
|
5d360b |
From: Gerd Hoffmann <kraxel@redhat.com>
|
|
|
5d360b |
Date: Fri, 26 Jan 2018 07:30:05 +0100
|
|
|
5d360b |
Subject: [PATCH 2/4] vga: check the validation of memory addr when draw text
|
|
|
5d360b |
|
|
|
5d360b |
RH-Author: Gerd Hoffmann <kraxel@redhat.com>
|
|
|
5d360b |
Message-id: <20180126073005.15344-2-kraxel@redhat.com>
|
|
|
5d360b |
Patchwork-id: 78710
|
|
|
5d360b |
O-Subject: [RHEL-7.5 qemu-kvm PATCH 1/1] vga: check the validation of memory addr when draw text
|
|
|
5d360b |
Bugzilla: 1534691
|
|
|
5d360b |
RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
|
|
|
5d360b |
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
|
|
|
5d360b |
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
|
|
|
5d360b |
|
|
|
5d360b |
From: linzhecheng <linzhecheng@huawei.com>
|
|
|
5d360b |
|
|
|
5d360b |
Start a vm with qemu-kvm -enable-kvm -vnc :66 -smp 1 -m 1024 -hda
|
|
|
5d360b |
redhat_5.11.qcow2 -device pcnet -vga cirrus,
|
|
|
5d360b |
then use VNC client to connect to VM, and excute the code below in guest
|
|
|
5d360b |
OS will lead to qemu crash:
|
|
|
5d360b |
|
|
|
5d360b |
int main()
|
|
|
5d360b |
{
|
|
|
5d360b |
iopl(3);
|
|
|
5d360b |
srand(time(NULL));
|
|
|
5d360b |
int a,b;
|
|
|
5d360b |
while(1){
|
|
|
5d360b |
a = rand()%0x100;
|
|
|
5d360b |
b = 0x3c0 + (rand()%0x20);
|
|
|
5d360b |
outb(a,b);
|
|
|
5d360b |
}
|
|
|
5d360b |
return 0;
|
|
|
5d360b |
}
|
|
|
5d360b |
|
|
|
5d360b |
The above code is writing the registers of VGA randomly.
|
|
|
5d360b |
We can write VGA CRT controller registers index 0x0C or 0x0D
|
|
|
5d360b |
(which is the start address register) to modify the
|
|
|
5d360b |
the display memory address of the upper left pixel
|
|
|
5d360b |
or character of the screen. The address may be out of the
|
|
|
5d360b |
range of vga ram. So we should check the validation of memory address
|
|
|
5d360b |
when reading or writing it to avoid segfault.
|
|
|
5d360b |
|
|
|
5d360b |
Signed-off-by: linzhecheng <linzhecheng@huawei.com>
|
|
|
5d360b |
Message-id: 20180111132724.13744-1-linzhecheng@huawei.com
|
|
|
5d360b |
Fixes: CVE-2018-5683
|
|
|
5d360b |
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
|
5d360b |
(cherry picked from commit 191f59dc17396bb5a8da50f8c59b6e0a430711a4)
|
|
|
5d360b |
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
|
|
5d360b |
---
|
|
|
5d360b |
hw/display/vga.c | 3 +++
|
|
|
5d360b |
1 file changed, 3 insertions(+)
|
|
|
5d360b |
|
|
|
5d360b |
diff --git a/hw/display/vga.c b/hw/display/vga.c
|
|
|
5d360b |
index c40744f..017e951 100644
|
|
|
5d360b |
--- a/hw/display/vga.c
|
|
|
5d360b |
+++ b/hw/display/vga.c
|
|
|
5d360b |
@@ -1328,6 +1328,9 @@ static void vga_draw_text(VGACommonState *s, int full_update)
|
|
|
5d360b |
cx_min = width;
|
|
|
5d360b |
cx_max = -1;
|
|
|
5d360b |
for(cx = 0; cx < width; cx++) {
|
|
|
5d360b |
+ if (src + sizeof(uint16_t) > s->vram_ptr + s->vram_size) {
|
|
|
5d360b |
+ break;
|
|
|
5d360b |
+ }
|
|
|
5d360b |
ch_attr = *(uint16_t *)src;
|
|
|
5d360b |
if (full_update || ch_attr != *ch_attr_ptr || src == cursor_ptr) {
|
|
|
5d360b |
if (cx < cx_min)
|
|
|
5d360b |
--
|
|
|
5d360b |
1.8.3.1
|
|
|
5d360b |
|