two cursor/qxl related security fixes.

-----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEoDKM/7k6F6eZAf59TLbY7tPocTgFAmJPu/wACgkQTLbY7tPo cTj+JRAAkPmHGgICyETafBCFJbaDD6ySLxUjPbvzz1ng3OT/pzUMDIyJZn5AgKBK 4pnLQIFHBCO7JRAFaI85bUmvZUcLIca+5wmWcqeiRkrqD/FMqWPFQv6uLlJSVHri BsR6ZGgeqkiw743syZfWfuHLU0OgoirwihkymJe7hpiQ21isb/k6b2iqD9gVSgsJ fbMQ9byLeTPrm3W/znNhXe3zAGPd2hCmXFp1+UGkMYhIU3hSJpOz0CCCKBLoEVS1 F2dGMtdZw65eaUe61TLO8TYHhjm6bbXwtKIKRs+81Nb/zhavOoR7g0u5MfwPLnme +UxUUGV3o+ziVM7lmwwImTLA2qr4VQHQ87sN9kDmBKOcAhYKv04UYSAQaQ9zOA+s FN+oQLxUL0TsYj2I6AAcLJ+zrnsZas1h1MptJTGBvUV3MU33qDvwJbk12EjiaRnK zy46J66QmwaNWJa0IMW9rnBcOkMu+qEshYmJZPsy8U1dif33fY4pGOeGoHzXmxVd RB94tXE/s/noBmNHw952a9SAGBKUFpQd8wPPNoYUlUV3qdg1wbf+babEr4Wxh8YE EBlBuWjSJoa0EWDAmtTo/52j2dup+aw90COsLrDZrJm/9nOiJSz0EfkxJsVzIjFn qfgzfEEdjHcMp2WqRip/eoHkAgtP7KGy7vO+11jHOXix93CJo1Y= =5ZKq -----END PGP SIGNATURE----- Merge tag 'fixes-20220408-pull-request' of git://git.kraxel.org/qemu into staging two cursor/qxl related security fixes. # gpg: Signature made Fri 08 Apr 2022 05:37:16 BST # gpg: using RSA key A0328CFFB93A17A79901FE7D4CB6D8EED3E87138 # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" [full] # gpg: aka "Gerd Hoffmann <gerd@kraxel.org>" [full] # gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>" [full] # Primary key fingerprint: A032 8CFF B93A 17A7 9901 FE7D 4CB6 D8EE D3E8 7138 * tag 'fixes-20220408-pull-request' of git://git.kraxel.org/qemu: ui/cursor: fix integer overflow in cursor_alloc (CVE-2021-4206) display/qxl-render: fix race condition in qxl_cursor (CVE-2021-4207) Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2022-04-08 10:43:30 +01:00 · 2022-04-08 10:43:30 +01:00 · dde8689d1f
commit dde8689d1f
parent 95a3fcc748 fa892e9abb
3 changed files with 17 additions and 2 deletions
--- a/hw/display/qxl-render.c
+++ b/hw/display/qxl-render.c
@ -247,6 +247,13 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor,
    size_t size;

    c = cursor_alloc(cursor->header.width, cursor->header.height);
+
+    if (!c) {
+        qxl_set_guest_bug(qxl, "%s: cursor %ux%u alloc error", __func__,
+                cursor->header.width, cursor->header.height);
+        goto fail;
+    }
+
    c->hot_x = cursor->header.hot_spot_x;
    c->hot_y = cursor->header.hot_spot_y;
    switch (cursor->header.type) {
@ -266,7 +273,7 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor,
        }
        break;
    case SPICE_CURSOR_TYPE_ALPHA:
-        size = sizeof(uint32_t) * cursor->header.width * cursor->header.height;
+        size = sizeof(uint32_t) * c->width * c->height;
        qxl_unpack_chunks(c->data, size, qxl, &cursor->chunk, group_id);
        if (qxl->debug > 2) {
            cursor_print_ascii_art(c, "qxl/alpha");
--- a/hw/display/vmware_vga.c
+++ b/hw/display/vmware_vga.c
@ -515,6 +515,8 @@ static inline void vmsvga_cursor_define(struct vmsvga_state_s *s,
    int i, pixels;

    qc = cursor_alloc(c->width, c->height);
+    assert(qc != NULL);
+
    qc->hot_x = c->hot_x;
    qc->hot_y = c->hot_y;
    switch (c->bpp) {
--- a/ui/cursor.c
+++ b/ui/cursor.c
@ -46,6 +46,8 @@ static QEMUCursor *cursor_parse_xpm(const char *xpm[])

    /* parse pixel data */
    c = cursor_alloc(width, height);
+    assert(c != NULL);
+
    for (pixel = 0, y = 0; y < height; y++, line++) {
        for (x = 0; x < height; x++, pixel++) {
            idx = xpm[line][x];
@ -91,7 +93,11 @@ QEMUCursor *cursor_builtin_left_ptr(void)
 QEMUCursor *cursor_alloc(int width, int height)
 {
    QEMUCursor *c;
-    int datasize = width * height * sizeof(uint32_t);
+    size_t datasize = width * height * sizeof(uint32_t);
+
+    if (width > 512 || height > 512) {
+        return NULL;
+    }

    c = g_malloc0(sizeof(QEMUCursor) + datasize);
    c->width  = width;