mirrors/qemu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
205ccfd7a5
qemu/hw
History
Philippe Mathieu-Daudé 205ccfd7a5 hw/display/ati_2d: Fix buffer overflow in ati_2d_blt (CVE-2021-3638) 
When building QEMU with DEBUG_ATI defined then running with
'-device ati-vga,romfile="" -d unimp,guest_errors -trace ati\*'
we get:

  ati_mm_write 4 0x16c0 DP_CNTL <- 0x1
  ati_mm_write 4 0x146c DP_GUI_MASTER_CNTL <- 0x2
  ati_mm_write 4 0x16c8 DP_MIX <- 0xff0000
  ati_mm_write 4 0x16c4 DP_DATATYPE <- 0x2
  ati_mm_write 4 0x224 CRTC_OFFSET <- 0x0
  ati_mm_write 4 0x142c DST_PITCH_OFFSET <- 0xfe00000
  ati_mm_write 4 0x1420 DST_Y <- 0x3fff
  ati_mm_write 4 0x1410 DST_HEIGHT <- 0x3fff
  ati_mm_write 4 0x1588 DST_WIDTH_X <- 0x3fff3fff
  ati_2d_blt: vram:0x7fff5fa00000 addr:0 ds:0x7fff61273800 stride:2560 bpp:32 rop:0xff
  ati_2d_blt: 0 0 0, 0 127 0, (0,0) -> (16383,16383) 16383x16383 > ^
  ati_2d_blt: pixman_fill(dst:0x7fff5fa00000, stride:254, bpp:8, x:16383, y:16383, w:16383, h:16383, xor:0xff000000)
  Thread 3 "qemu-system-i38" received signal SIGSEGV, Segmentation fault.
  (gdb) bt
  #0  0x00007ffff7f62ce0 in sse2_fill.lto_priv () at /lib64/libpixman-1.so.0
  #1  0x00007ffff7f09278 in pixman_fill () at /lib64/libpixman-1.so.0
  #2  0x0000555557b5a9af in ati_2d_blt (s=0x631000028800) at hw/display/ati_2d.c:196
  #3  0x0000555557b4b5a2 in ati_mm_write (opaque=0x631000028800, addr=5512, data=1073692671, size=4) at hw/display/ati.c:843
  #4  0x0000555558b90ec4 in memory_region_write_accessor (mr=0x631000039cc0, addr=5512, ..., size=4, ...) at softmmu/memory.c:492

Commit 584acf34cb ("ati-vga: Fix reverse bit blts") introduced
the local dst_x and dst_y which adjust the (x, y) coordinates
depending on the direction in the SRCCOPY ROP3 operation, but
forgot to address the same issue for the PATCOPY, BLACKNESS and
WHITENESS operations, which also call pixman_fill().

Fix that now by using the adjusted coordinates in the pixman_fill
call, and update the related debug printf().

Reported-by: Qiang Liu <qiangliu@zju.edu.cn>
Fixes: 584acf34cb ("ati-vga: Fix reverse bit blts")
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Tested-by: Mauro Matteo Cascella <mcascell@redhat.com>
Message-Id: <20210906153103.1661195-1-philmd@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2022-09-27 07:32:31 +02:00
..
9pfs trivial typos: namesapce 2022-06-28 11:06:44 +02:00
acpi acpi/nvdimm: Define trace events for NVDIMM and substitute nvdimm_debug() 2022-07-26 10:37:46 -04:00
adc hw/adc: Make adci[*] R/W in NPCM7XX ADC 2022-07-18 13:20:14 +01:00
alpha Remove qemu-common.h include from most units 2022-04-06 14:31:55 +02:00
arm target/arm: Make boards pass base address to armv7m_load_kernel() 2022-09-14 11:19:40 +01:00
audio hw/audio/cs4231a: Const'ify global tables 2022-06-11 11:44:50 +02:00
avr Remove qemu-common.h include from most units 2022-04-06 14:31:55 +02:00
block virtio-scsi: fix race in virtio_scsi_dataplane_start() 2022-08-17 07:07:37 -04:00
char acpi: serial-is: replace ISADeviceClass::build_aml with AcpiDevAmlIfClass:build_dev_aml 2022-06-09 19:32:48 -04:00
core hw/core: fix platform bus node name 2022-09-07 09:18:33 +02:00
cpu
cris Do not include exec/address-spaces.h if it's not really necessary 2021-05-02 17:24:51 +02:00
cxl hw/cxl: Correctly handle variable sized mailbox input payloads. 2022-08-17 13:08:11 -04:00
display hw/display/ati_2d: Fix buffer overflow in ati_2d_blt (CVE-2021-3638) 2022-09-27 07:32:31 +02:00
dma ptimer: Rename PTIMER_POLICY_DEFAULT to PTIMER_POLICY_LEGACY 2022-05-19 16:19:03 +01:00
gpio hw/gpio/aspeed: Don't let guests modify input pins 2022-07-14 16:24:38 +02:00
hppa lasips2: remove legacy lasips2_initfn() function 2022-07-18 19:28:46 +01:00
hyperv hw/hyperv/vmbus: Remove unused vmbus_load/save_req() 2022-05-30 19:49:42 +02:00
i2c hw/i2c/pmbus: Add idle state to return 0xff's 2022-07-14 16:24:38 +02:00
i386 util: accept iova_tree_remove_parameter by value 2022-09-02 10:22:39 +08:00
ide block: Change blk_{pread,pwrite}() param order 2022-07-12 12:14:56 +02:00
input pckbd: remove legacy i8042_mm_init() function 2022-07-18 19:28:46 +01:00
intc hw/intc: Move mtimer/mtimecmp to aclint 2022-09-07 09:19:10 +02:00
ipack qbus: Rename qbus_create_inplace() to qbus_init() 2021-09-30 13:42:10 +01:00
ipmi ipmi:smbus: Add a check around a memcpy 2022-08-01 06:40:50 -05:00
isa hw/i386/xen/xen-hvm: Inline xen_piix_pci_write_config_client() and remove it 2022-06-29 00:24:59 +02:00
loongarch hw/loongarch: Improve acpi dsdt table 2022-09-20 15:44:25 +08:00
m68k goldfish_rtc: Add big-endian property 2022-09-04 07:02:56 +01:00
mem mem/cxl_type3: Add read and write functions for associated hostmem. 2022-05-13 07:57:26 -04:00
microblaze hw/microblaze: pass random seed to fdt 2022-09-21 19:59:56 +02:00
mips hw/mips/malta: turn off x86 specific features of PIIX4_PM 2022-08-08 23:23:11 +02:00
misc hw/arm/bcm2835_property: Add support for RPI_FIRMWARE_FRAMEBUFFER_GET_NUM_DISPLAYS 2022-09-14 11:19:39 +01:00
net net: tulip: Restrict DMA engine to memories 2022-09-02 10:22:39 +08:00
nios2 hw/nios2: virt: pass random seed to fdt 2022-07-22 19:01:44 +02:00
nubus qbus: Rename qbus_create_inplace() to qbus_init() 2021-09-30 13:42:10 +01:00
nvme hw/nvme: do not enable ioeventfd by default 2022-08-01 12:01:21 +02:00
nvram block: Change blk_{pread,pwrite}() param order 2022-07-12 12:14:56 +02:00
openrisc hw/openrisc: virt: pass random seed to fdt 2022-09-04 07:02:57 +01:00
pci trivial patches pull request 20220629 2022-06-30 04:49:40 +05:30
pci-bridge pci-bridge/cxl_downstream: Add a CXL switch downstream port 2022-06-16 12:54:57 -04:00
pci-host hw/pci-host: pnv_phb{3, 4}: Fix heap out-of-bound access failure 2022-09-20 12:31:53 -03:00
pcmcia hw/pcmcia: Do not register PCMCIA type if not required 2021-05-02 17:24:50 +02:00
ppc ppc patch queue for 2022-09-20: 2022-09-21 13:11:57 -04:00
rdma hw/pvrdma: Some cosmetic fixes 2022-04-26 12:25:14 +02:00
remote vfio-user: handle reset of remote device 2022-06-15 16:43:42 +01:00
riscv hw/riscv: virt: Add PMU DT node to the device tree 2022-09-07 09:19:15 +02:00
rtc goldfish_rtc: Add big-endian property 2022-09-04 07:02:56 +01:00
rx hw/rx: pass random seed to fdt 2022-07-22 19:01:44 +02:00
s390x s390x/cpumodel: add stfl197 processor-activity-instrumentation extension 1 2022-08-25 21:59:04 +02:00
scsi scsi: Reject commands if the CDB length exceeds buf_len 2022-09-01 07:42:37 +02:00
sd block: Change blk_{pread,pwrite}() param order 2022-07-12 12:14:56 +02:00
sensor hw/sensor: Add Renesas ISL69259 device model 2022-07-14 16:24:38 +02:00
sh4 Use g_new() & friends where that makes obvious sense 2022-03-21 15:44:44 +01:00
smbios smbios: sanitize type from external type before checking have_fields_bitmap 2022-09-18 09:17:40 +02:00
sparc machine: make memory-backend a link property 2022-05-12 12:29:44 +02:00
sparc64 hw: Reuse TYPE_I8042 define 2022-06-11 11:44:50 +02:00
ssi aspeed/smc: Fix potential overflow 2022-06-30 09:21:13 +02:00
timer hw/intc: Move mtimer/mtimecmp to aclint 2022-09-07 09:19:10 +02:00
tpm tpm_crb: Avoid backend startup just before shutdown under Xen 2022-09-09 17:55:59 -04:00
tricore hw/tricore: fix inclusion of tricore_testboard 2021-07-20 20:10:21 +02:00
usb usbnet: Report link-up via interrupt endpoint in CDC-ECM mode 2022-09-27 07:32:31 +02:00
vfio ui/console: Do not return a value with ui_info 2022-06-14 10:34:37 +02:00
virtio vdpa: Delete CVQ migration blocker 2022-09-02 10:22:39 +08:00
watchdog ppc/spapr: Implement H_WATCHDOG 2022-07-06 10:22:38 -03:00
xen xen/pass-through: don't create needless register group 2022-07-05 14:19:48 +01:00
xenpv Warn user if the vga flag is passed but no vga device is created 2022-05-09 08:21:14 +02:00
xtensa hw/xtensa: fix reset value of MIROUT register of MX PIC 2022-05-06 15:27:40 -07:00
Kconfig hw/loongarch: Add support loongson3 virt machine type. 2022-06-06 18:09:03 +00:00
meson.build hw/loongarch: Add support loongson3 virt machine type. 2022-06-06 18:09:03 +00:00