yeahuh / rpms / qemu-kvm

Forked from rpms/qemu-kvm 2 years ago
Clone
5d360b
From 5c99bd7a9de1f1a64d948776482ae7103091fac2 Mon Sep 17 00:00:00 2001
5d360b
From: Gerd Hoffmann <kraxel@redhat.com>
5d360b
Date: Fri, 26 Jan 2018 07:30:05 +0100
5d360b
Subject: [PATCH 2/4] vga: check the validation of memory addr when draw text
5d360b
5d360b
RH-Author: Gerd Hoffmann <kraxel@redhat.com>
5d360b
Message-id: <20180126073005.15344-2-kraxel@redhat.com>
5d360b
Patchwork-id: 78710
5d360b
O-Subject: [RHEL-7.5 qemu-kvm PATCH 1/1] vga: check the validation of memory addr when draw text
5d360b
Bugzilla: 1534691
5d360b
RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
5d360b
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
5d360b
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
5d360b
5d360b
From: linzhecheng <linzhecheng@huawei.com>
5d360b
5d360b
Start a vm with qemu-kvm -enable-kvm -vnc :66 -smp 1 -m 1024 -hda
5d360b
redhat_5.11.qcow2  -device pcnet -vga cirrus,
5d360b
then use VNC client to connect to VM, and excute the code below in guest
5d360b
OS will lead to qemu crash:
5d360b
5d360b
int main()
5d360b
 {
5d360b
    iopl(3);
5d360b
    srand(time(NULL));
5d360b
    int a,b;
5d360b
    while(1){
5d360b
	a = rand()%0x100;
5d360b
	b = 0x3c0 + (rand()%0x20);
5d360b
        outb(a,b);
5d360b
    }
5d360b
    return 0;
5d360b
}
5d360b
5d360b
The above code is writing the registers of VGA randomly.
5d360b
We can write VGA CRT controller registers index 0x0C or 0x0D
5d360b
(which is the start address register) to modify the
5d360b
the display memory address of the upper left pixel
5d360b
or character of the screen. The address may be out of the
5d360b
range of vga ram. So we should check the validation of memory address
5d360b
when reading or writing it to avoid segfault.
5d360b
5d360b
Signed-off-by: linzhecheng <linzhecheng@huawei.com>
5d360b
Message-id: 20180111132724.13744-1-linzhecheng@huawei.com
5d360b
Fixes: CVE-2018-5683
5d360b
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
5d360b
(cherry picked from commit 191f59dc17396bb5a8da50f8c59b6e0a430711a4)
5d360b
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
5d360b
---
5d360b
 hw/display/vga.c | 3 +++
5d360b
 1 file changed, 3 insertions(+)
5d360b
5d360b
diff --git a/hw/display/vga.c b/hw/display/vga.c
5d360b
index c40744f..017e951 100644
5d360b
--- a/hw/display/vga.c
5d360b
+++ b/hw/display/vga.c
5d360b
@@ -1328,6 +1328,9 @@ static void vga_draw_text(VGACommonState *s, int full_update)
5d360b
         cx_min = width;
5d360b
         cx_max = -1;
5d360b
         for(cx = 0; cx < width; cx++) {
5d360b
+            if (src + sizeof(uint16_t) > s->vram_ptr + s->vram_size) {
5d360b
+                break;
5d360b
+            }
5d360b
             ch_attr = *(uint16_t *)src;
5d360b
             if (full_update || ch_attr != *ch_attr_ptr || src == cursor_ptr) {
5d360b
                 if (cx < cx_min)
5d360b
-- 
5d360b
1.8.3.1
5d360b