hw/display/qxl: Avoid buffer overrun in qxl_phys2virt (CVE-2022-4144) - bwlp/qemu.git - Experimental fork of QEMU with video encoding patches

diff options

author	Philippe Mathieu-Daudé	2022-11-28 21:27:40 +0100
committer	Stefan Hajnoczi	2022-11-30 00:15:26 +0100
commit	6dbbf055148c6f1b7d8a3251a65bd6f3d1e1f622 (patch)
tree	6f549781b5b384c4a27fb72b49ee9320841d711e /dump/dump.c
parent	hw/display/qxl: Pass requested buffer size to qxl_phys2virt() (diff)
download	qemu-6dbbf055148c6f1b7d8a3251a65bd6f3d1e1f622.tar.gz qemu-6dbbf055148c6f1b7d8a3251a65bd6f3d1e1f622.tar.xz qemu-6dbbf055148c6f1b7d8a3251a65bd6f3d1e1f622.zip

hw/display/qxl: Avoid buffer overrun in qxl_phys2virt (CVE-2022-4144)

Have qxl_get_check_slot_offset() return false if the requested buffer size does not fit within the slot memory region. Similarly qxl_phys2virt() now returns NULL in such case, and qxl_dirty_one_surface() aborts. This avoids buffer overrun in the host pointer returned by memory_region_get_ram_ptr(). Fixes: CVE-2022-4144 (out-of-bounds read) Reported-by: Wenxu Yin (@awxylitol) Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1336 Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Message-Id: <20221128202741.4945-5-philmd@linaro.org>

Diffstat (limited to 'dump/dump.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: