|
 |
9bac43 |
From 3b2c6ef26bdde6363ca750008cef962076e2bf0f Mon Sep 17 00:00:00 2001
|
|
|
9bac43 |
From: Gerd Hoffmann <kraxel@redhat.com>
|
|
|
9bac43 |
Date: Fri, 26 Jan 2018 08:12:43 +0100
|
|
|
9bac43 |
Subject: [PATCH 6/8] vga: check the validation of memory addr when draw text
|
|
|
9bac43 |
|
|
|
9bac43 |
RH-Author: Gerd Hoffmann <kraxel@redhat.com>
|
|
|
9bac43 |
Message-id: <20180126081243.19785-2-kraxel@redhat.com>
|
|
|
9bac43 |
Patchwork-id: 78712
|
|
|
9bac43 |
O-Subject: [RHV7.5 qemu-kvm-rhev PATCH 1/1] vga: check the validation of memory addr when draw text
|
|
|
9bac43 |
Bugzilla: 1534682
|
|
|
9bac43 |
RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
|
|
|
9bac43 |
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
|
|
|
9bac43 |
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
|
|
|
9bac43 |
|
|
|
9bac43 |
From: linzhecheng <linzhecheng@huawei.com>
|
|
|
9bac43 |
|
|
|
9bac43 |
Start a vm with qemu-kvm -enable-kvm -vnc :66 -smp 1 -m 1024 -hda
|
|
|
9bac43 |
redhat_5.11.qcow2 -device pcnet -vga cirrus,
|
|
|
9bac43 |
then use VNC client to connect to VM, and excute the code below in guest
|
|
|
9bac43 |
OS will lead to qemu crash:
|
|
|
9bac43 |
|
|
|
9bac43 |
int main()
|
|
|
9bac43 |
{
|
|
|
9bac43 |
iopl(3);
|
|
|
9bac43 |
srand(time(NULL));
|
|
|
9bac43 |
int a,b;
|
|
|
9bac43 |
while(1){
|
|
|
9bac43 |
a = rand()%0x100;
|
|
|
9bac43 |
b = 0x3c0 + (rand()%0x20);
|
|
|
9bac43 |
outb(a,b);
|
|
|
9bac43 |
}
|
|
|
9bac43 |
return 0;
|
|
|
9bac43 |
}
|
|
|
9bac43 |
|
|
|
9bac43 |
The above code is writing the registers of VGA randomly.
|
|
|
9bac43 |
We can write VGA CRT controller registers index 0x0C or 0x0D
|
|
|
9bac43 |
(which is the start address register) to modify the
|
|
|
9bac43 |
the display memory address of the upper left pixel
|
|
|
9bac43 |
or character of the screen. The address may be out of the
|
|
|
9bac43 |
range of vga ram. So we should check the validation of memory address
|
|
|
9bac43 |
when reading or writing it to avoid segfault.
|
|
|
9bac43 |
|
|
|
9bac43 |
Signed-off-by: linzhecheng <linzhecheng@huawei.com>
|
|
|
9bac43 |
Message-id: 20180111132724.13744-1-linzhecheng@huawei.com
|
|
|
9bac43 |
Fixes: CVE-2018-5683
|
|
|
9bac43 |
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
|
9bac43 |
(cherry picked from commit 191f59dc17396bb5a8da50f8c59b6e0a430711a4)
|
|
|
9bac43 |
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
|
|
9bac43 |
---
|
|
|
9bac43 |
hw/display/vga.c | 3 +++
|
|
|
9bac43 |
1 file changed, 3 insertions(+)
|
|
|
9bac43 |
|
|
|
9bac43 |
diff --git a/hw/display/vga.c b/hw/display/vga.c
|
|
|
9bac43 |
index 06ca3da..b1cdf36 100644
|
|
|
9bac43 |
--- a/hw/display/vga.c
|
|
|
9bac43 |
+++ b/hw/display/vga.c
|
|
|
9bac43 |
@@ -1280,6 +1280,9 @@ static void vga_draw_text(VGACommonState *s, int full_update)
|
|
|
9bac43 |
cx_min = width;
|
|
|
9bac43 |
cx_max = -1;
|
|
|
9bac43 |
for(cx = 0; cx < width; cx++) {
|
|
|
9bac43 |
+ if (src + sizeof(uint16_t) > s->vram_ptr + s->vram_size) {
|
|
|
9bac43 |
+ break;
|
|
|
9bac43 |
+ }
|
|
|
9bac43 |
ch_attr = *(uint16_t *)src;
|
|
|
9bac43 |
if (full_update || ch_attr != *ch_attr_ptr || src == cursor_ptr) {
|
|
|
9bac43 |
if (cx < cx_min)
|
|
|
9bac43 |
--
|
|
|
9bac43 |
1.8.3.1
|
|
|
9bac43 |
|