Tree - rpms/spice - CentOS Git server

rpms / spice

Blame SOURCES/0047-Fix-race-in-red_get_image.patch

Blob History Raw

		73b8f2	`From d2fc5cee16c10e53d81c6251e6929da54270a6f4 Mon Sep 17 00:00:00 2001`
		73b8f2	`From: Frediano Ziglio <fziglio@redhat.com>`
		73b8f2	`Date: Tue, 8 Sep 2015 10:04:10 +0100`
		73b8f2	`Subject: [PATCH 47/57] Fix race in red_get_image`
		73b8f2
		73b8f2	`Do not read multiple times data from guest as this could be changed`
		73b8f2	`by other vcpu threads.`
		73b8f2	`This causes races and security problems if these data are used for`
		73b8f2	`buffer allocation or checks.`
		73b8f2
		73b8f2	`Signed-off-by: Frediano Ziglio <fziglio@redhat.com>`
		73b8f2	`Acked-by: Christophe Fergeau <cfergeau@redhat.com>`
		73b8f2	`---`
		73b8f2	`server/red_parse_qxl.c \| 18 ++++++++++--------`
		73b8f2	`1 file changed, 10 insertions(+), 8 deletions(-)`
		73b8f2
		73b8f2	`diff --git a/server/red_parse_qxl.c b/server/red_parse_qxl.c`
		73b8f2	`index affd3a2..84ea526 100644`
		73b8f2	`--- a/server/red_parse_qxl.c`
		73b8f2	`+++ b/server/red_parse_qxl.c`
		73b8f2	`@@ -397,6 +397,7 @@ static SpiceImage red_get_image(RedMemSlotInfo slots, int group_id,`
		73b8f2	`uint64_t bitmap_size, size;`
		73b8f2	`uint8_t qxl_flags;`
		73b8f2	`int error;`
		73b8f2	`+ QXLPHYSICAL palette;`
		73b8f2
		73b8f2	`if (addr == 0) {`
		73b8f2	`return NULL;`
		73b8f2	`@@ -422,12 +423,16 @@ static SpiceImage red_get_image(RedMemSlotInfo slots, int group_id,`
		73b8f2	`switch (red->descriptor.type) {`
		73b8f2	`case SPICE_IMAGE_TYPE_BITMAP:`
		73b8f2	`red->u.bitmap.format = qxl->bitmap.format;`
		73b8f2	`- if (!bitmap_fmt_is_rgb(qxl->bitmap.format) && !qxl->bitmap.palette && !is_mask) {`
		73b8f2	`+ red->u.bitmap.x = qxl->bitmap.x;`
		73b8f2	`+ red->u.bitmap.y = qxl->bitmap.y;`
		73b8f2	`+ red->u.bitmap.stride = qxl->bitmap.stride;`
		73b8f2	`+ palette = qxl->bitmap.palette;`
		73b8f2	`+ if (!bitmap_fmt_is_rgb(red->u.bitmap.format) && !palette && !is_mask) {`
		73b8f2	`spice_warning("guest error: missing palette on bitmap format=%d\n",`
		73b8f2	`red->u.bitmap.format);`
		73b8f2	`goto error;`
		73b8f2	`}`
		73b8f2	`- if (qxl->bitmap.x == 0 \|\| qxl->bitmap.y == 0) {`
		73b8f2	`+ if (red->u.bitmap.x == 0 \|\| red->u.bitmap.y == 0) {`
		73b8f2	`spice_warning("guest error: zero area bitmap\n");`
		73b8f2	`goto error;`
		73b8f2	`}`
		73b8f2	`@@ -435,23 +440,20 @@ static SpiceImage red_get_image(RedMemSlotInfo slots, int group_id,`
		73b8f2	`if (qxl_flags & QXL_BITMAP_TOP_DOWN) {`
		73b8f2	`red->u.bitmap.flags = SPICE_BITMAP_FLAGS_TOP_DOWN;`
		73b8f2	`}`
		73b8f2	`- red->u.bitmap.x = qxl->bitmap.x;`
		73b8f2	`- red->u.bitmap.y = qxl->bitmap.y;`
		73b8f2	`- red->u.bitmap.stride = qxl->bitmap.stride;`
		73b8f2	`if (!bitmap_consistent(&red->u.bitmap)) {`
		73b8f2	`goto error;`
		73b8f2	`}`
		73b8f2	`- if (qxl->bitmap.palette) {`
		73b8f2	`+ if (palette) {`
		73b8f2	`QXLPalette *qp;`
		73b8f2	`int i, num_ents;`
		73b8f2	`- qp = (QXLPalette *)get_virt(slots, qxl->bitmap.palette,`
		73b8f2	`+ qp = (QXLPalette *)get_virt(slots, palette,`
		73b8f2	`sizeof(*qp), group_id, &error);`
		73b8f2	`if (error) {`
		73b8f2	`goto error;`
		73b8f2	`}`
		73b8f2	`num_ents = qp->num_ents;`
		73b8f2	`if (!validate_virt(slots, (intptr_t)qp->ents,`
		73b8f2	`- get_memslot_id(slots, qxl->bitmap.palette),`
		73b8f2	`+ get_memslot_id(slots, palette),`
		73b8f2	`num_ents * sizeof(qp->ents[0]), group_id)) {`
		73b8f2	`goto error;`
		73b8f2	`}`
		73b8f2	`--`
		73b8f2	`2.4.3`
		73b8f2

rpms / spice

Source Code

Blame SOURCES/0047-Fix-race-in-red_get_image.patch