From 0a493615833edbe6448bc639200b4a5fa7d492e3 Mon Sep 17 00:00:00 2001

From: Jon Maloy <jmaloy@redhat.com>

Date: Wed, 4 May 2022 10:35:17 -0400

Subject: [PATCH 2/2] ui/cursor: fix integer overflow in cursor_alloc

 (CVE-2021-4206)

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

RH-Author: Jon Maloy <jmaloy@redhat.com>

RH-MergeRequest: 190: ui/cursor: fix integer overflow in cursor_alloc (CVE-2021-4206)

RH-Commit: [1/1] 80588f646942c345a2491812cb41aacd4c0805ff (jmaloy/qemu-kvm)

RH-Bugzilla: 2082622

RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>

RH-Acked-by: Marc-André Lureau <marcandre.lureau@redhat.com>

RH-Acked-by: Mauro Matteo Cascella <None>

BZ: https://bugzilla.redhat.com/show_bug.cgi?id=2082622

Upstream: Merged

CVE: CVE-2021-4206

commit fa892e9abb728e76afcf27323ab29c57fb0fe7aa

Author: Mauro Matteo Cascella <mcascell@redhat.com>

Date:   Thu Apr 7 10:17:12 2022 +0200

    ui/cursor: fix integer overflow in cursor_alloc (CVE-2021-4206)

    Prevent potential integer overflow by limiting 'width' and 'height' to

    512x512. Also change 'datasize' type to size_t. Refer to security

    advisory https://starlabs.sg/advisories/22-4206/ for more information.

    Fixes: CVE-2021-4206

    Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>

    Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>

    Message-Id: <20220407081712.345609-1-mcascell@redhat.com>

    Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

(cherry picked from commit fa892e9abb728e76afcf27323ab29c57fb0fe7aa)

Signed-off-by: Jon Maloy <jmaloy@redhat.com>

---

 hw/display/qxl-render.c | 7 +++++++

 hw/display/vmware_vga.c | 2 ++

 ui/cursor.c             | 8 +++++++-

 3 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c

index 237ed293ba..ca217004bf 100644

--- a/hw/display/qxl-render.c

+++ b/hw/display/qxl-render.c

@@ -247,6 +247,13 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor,

     size_t size;

     c = cursor_alloc(cursor->header.width, cursor->header.height);

+

+    if (!c) {

+        qxl_set_guest_bug(qxl, "%s: cursor %ux%u alloc error", __func__,

+                cursor->header.width, cursor->header.height);

+        goto fail;

+    }

+

     c->hot_x = cursor->header.hot_spot_x;

     c->hot_y = cursor->header.hot_spot_y;

     switch (cursor->header.type) {

diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c

index e2969a6c81..2b81d6122f 100644

--- a/hw/display/vmware_vga.c

+++ b/hw/display/vmware_vga.c

@@ -509,6 +509,8 @@ static inline void vmsvga_cursor_define(struct vmsvga_state_s *s,

     int i, pixels;

     qc = cursor_alloc(c->width, c->height);

+    assert(qc != NULL);

+

     qc->hot_x = c->hot_x;

     qc->hot_y = c->hot_y;

     switch (c->bpp) {

diff --git a/ui/cursor.c b/ui/cursor.c

index 1d62ddd4d0..835f0802f9 100644

--- a/ui/cursor.c

+++ b/ui/cursor.c

@@ -46,6 +46,8 @@ static QEMUCursor *cursor_parse_xpm(const char *xpm[])

     /* parse pixel data */

     c = cursor_alloc(width, height);

+    assert(c != NULL);

+

     for (pixel = 0, y = 0; y < height; y++, line++) {

         for (x = 0; x < height; x++, pixel++) {

             idx = xpm[line][x];

@@ -91,7 +93,11 @@ QEMUCursor *cursor_builtin_left_ptr(void)

 QEMUCursor *cursor_alloc(int width, int height)

 {

     QEMUCursor *c;

-    int datasize = width * height * sizeof(uint32_t);

+    size_t datasize = width * height * sizeof(uint32_t);

+

+    if (width > 512 || height > 512) {

+        return NULL;

+    }

     c = g_malloc0(sizeof(QEMUCursor) + datasize);

     c->width  = width;

-- 

2.35.3