diff options
author | Philippe Mathieu-Daudé | 2022-11-28 21:27:40 +0100 |
---|---|---|
committer | Stefan Hajnoczi | 2022-11-30 00:15:26 +0100 |
commit | 6dbbf055148c6f1b7d8a3251a65bd6f3d1e1f622 (patch) | |
tree | 6f549781b5b384c4a27fb72b49ee9320841d711e /COPYING | |
parent | hw/display/qxl: Pass requested buffer size to qxl_phys2virt() (diff) | |
download | qemu-6dbbf055148c6f1b7d8a3251a65bd6f3d1e1f622.tar.gz qemu-6dbbf055148c6f1b7d8a3251a65bd6f3d1e1f622.tar.xz qemu-6dbbf055148c6f1b7d8a3251a65bd6f3d1e1f622.zip |
hw/display/qxl: Avoid buffer overrun in qxl_phys2virt (CVE-2022-4144)
Have qxl_get_check_slot_offset() return false if the requested
buffer size does not fit within the slot memory region.
Similarly qxl_phys2virt() now returns NULL in such case, and
qxl_dirty_one_surface() aborts.
This avoids buffer overrun in the host pointer returned by
memory_region_get_ram_ptr().
Fixes: CVE-2022-4144 (out-of-bounds read)
Reported-by: Wenxu Yin (@awxylitol)
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1336
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-Id: <20221128202741.4945-5-philmd@linaro.org>
Diffstat (limited to 'COPYING')
0 files changed, 0 insertions, 0 deletions