From: Gerd Hoffmann <kraxel@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Qiuhao Li" <Qiuhao.Li@outlook.com>,
"Michael S. Tsirkin" <mst@redhat.com>,
"Stefan Hajnoczi" <stefanha@redhat.com>,
"Eric Blake" <eblake@redhat.com>,
"Darren Kenny" <darren.kenny@oracle.com>,
"Bandan Das" <bsd@redhat.com>,
"Alexander Bulekov" <alxndr@bu.edu>,
"Philippe Mathieu-Daudé" <f4bug@amsat.org>,
"Markus Armbruster" <armbru@redhat.com>,
"Akihiko Odaki" <akihiko.odaki@gmail.com>,
"Alexandre Ratchov" <alex@caoua.org>,
"Laurent Vivier" <lvivier@redhat.com>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Thomas Huth" <thuth@redhat.com>,
"Gerd Hoffmann" <kraxel@redhat.com>,
"Peter Maydell" <peter.maydell@linaro.org>,
"Philippe Mathieu-Daudé" <philmd@redhat.com>,
"Qiang Liu" <qiangliu@zju.edu.cn>,
"Mauro Matteo Cascella" <mcascell@redhat.com>
Subject: [PULL 23/24] hw/display/ati_2d: Fix buffer overflow in ati_2d_blt (CVE-2021-3638)
Date: Tue, 27 Sep 2022 10:19:11 +0200 [thread overview]
Message-ID: <20220927081912.180983-24-kraxel@redhat.com> (raw)
In-Reply-To: <20220927081912.180983-1-kraxel@redhat.com>
From: Philippe Mathieu-Daudé <philmd@redhat.com>
When building QEMU with DEBUG_ATI defined then running with
'-device ati-vga,romfile="" -d unimp,guest_errors -trace ati\*'
we get:
ati_mm_write 4 0x16c0 DP_CNTL <- 0x1
ati_mm_write 4 0x146c DP_GUI_MASTER_CNTL <- 0x2
ati_mm_write 4 0x16c8 DP_MIX <- 0xff0000
ati_mm_write 4 0x16c4 DP_DATATYPE <- 0x2
ati_mm_write 4 0x224 CRTC_OFFSET <- 0x0
ati_mm_write 4 0x142c DST_PITCH_OFFSET <- 0xfe00000
ati_mm_write 4 0x1420 DST_Y <- 0x3fff
ati_mm_write 4 0x1410 DST_HEIGHT <- 0x3fff
ati_mm_write 4 0x1588 DST_WIDTH_X <- 0x3fff3fff
ati_2d_blt: vram:0x7fff5fa00000 addr:0 ds:0x7fff61273800 stride:2560 bpp:32 rop:0xff
ati_2d_blt: 0 0 0, 0 127 0, (0,0) -> (16383,16383) 16383x16383 > ^
ati_2d_blt: pixman_fill(dst:0x7fff5fa00000, stride:254, bpp:8, x:16383, y:16383, w:16383, h:16383, xor:0xff000000)
Thread 3 "qemu-system-i38" received signal SIGSEGV, Segmentation fault.
(gdb) bt
#0 0x00007ffff7f62ce0 in sse2_fill.lto_priv () at /lib64/libpixman-1.so.0
#1 0x00007ffff7f09278 in pixman_fill () at /lib64/libpixman-1.so.0
#2 0x0000555557b5a9af in ati_2d_blt (s=0x631000028800) at hw/display/ati_2d.c:196
#3 0x0000555557b4b5a2 in ati_mm_write (opaque=0x631000028800, addr=5512, data=1073692671, size=4) at hw/display/ati.c:843
#4 0x0000555558b90ec4 in memory_region_write_accessor (mr=0x631000039cc0, addr=5512, ..., size=4, ...) at softmmu/memory.c:492
Commit 584acf34cb0 ("ati-vga: Fix reverse bit blts") introduced
the local dst_x and dst_y which adjust the (x, y) coordinates
depending on the direction in the SRCCOPY ROP3 operation, but
forgot to address the same issue for the PATCOPY, BLACKNESS and
WHITENESS operations, which also call pixman_fill().
Fix that now by using the adjusted coordinates in the pixman_fill
call, and update the related debug printf().
Reported-by: Qiang Liu <qiangliu@zju.edu.cn>
Fixes: 584acf34cb0 ("ati-vga: Fix reverse bit blts")
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Tested-by: Mauro Matteo Cascella <mcascell@redhat.com>
Message-Id: <20210906153103.1661195-1-philmd@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
hw/display/ati_2d.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/hw/display/ati_2d.c b/hw/display/ati_2d.c
index 4dc10ea79529..692bec91de45 100644
--- a/hw/display/ati_2d.c
+++ b/hw/display/ati_2d.c
@@ -84,7 +84,7 @@ void ati_2d_blt(ATIVGAState *s)
DPRINTF("%d %d %d, %d %d %d, (%d,%d) -> (%d,%d) %dx%d %c %c\n",
s->regs.src_offset, s->regs.dst_offset, s->regs.default_offset,
s->regs.src_pitch, s->regs.dst_pitch, s->regs.default_pitch,
- s->regs.src_x, s->regs.src_y, s->regs.dst_x, s->regs.dst_y,
+ s->regs.src_x, s->regs.src_y, dst_x, dst_y,
s->regs.dst_width, s->regs.dst_height,
(s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ? '>' : '<'),
(s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? 'v' : '^'));
@@ -180,11 +180,11 @@ void ati_2d_blt(ATIVGAState *s)
dst_stride /= sizeof(uint32_t);
DPRINTF("pixman_fill(%p, %d, %d, %d, %d, %d, %d, %x)\n",
dst_bits, dst_stride, bpp,
- s->regs.dst_x, s->regs.dst_y,
+ dst_x, dst_y,
s->regs.dst_width, s->regs.dst_height,
filler);
pixman_fill((uint32_t *)dst_bits, dst_stride, bpp,
- s->regs.dst_x, s->regs.dst_y,
+ dst_x, dst_y,
s->regs.dst_width, s->regs.dst_height,
filler);
if (dst_bits >= s->vga.vram_ptr + s->vga.vbe_start_addr &&
--
2.37.3
next prev parent reply other threads:[~2022-09-27 10:51 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-27 8:18 [PULL 00/24] Kraxel 20220927 patches Gerd Hoffmann
2022-09-27 8:18 ` [PULL 01/24] ui/console: Get tab completion working again in the SDL monitor vc Gerd Hoffmann
2022-09-27 8:18 ` [PULL 02/24] ui/cocoa: Run qemu_init in the main thread Gerd Hoffmann
2022-09-27 8:18 ` [PULL 03/24] Revert "main-loop: Disable block backend global state assertion on Cocoa" Gerd Hoffmann
2022-09-27 8:18 ` [PULL 04/24] meson: Allow to enable gtk and sdl while cocoa is enabled Gerd Hoffmann
2022-09-27 8:18 ` [PULL 05/24] ui: add some vdagent related traces Gerd Hoffmann
2022-09-27 8:18 ` [PULL 06/24] ui/clipboard: fix serial priority Gerd Hoffmann
2022-09-27 8:18 ` [PULL 07/24] ui/vdagent: always reset the clipboard serial on caps Gerd Hoffmann
2022-09-27 8:18 ` [PULL 08/24] ui/clipboard: reset the serial state on reset Gerd Hoffmann
2022-09-27 8:18 ` [PULL 09/24] ui/vdagent: fix serial reset of guest agent Gerd Hoffmann
2022-09-27 8:18 ` [PULL 10/24] ui/console: fix three double frees in png_save() Gerd Hoffmann
2022-09-27 8:18 ` [PULL 11/24] hw/usb/hcd-xhci: Check whether DMA accesses fail Gerd Hoffmann
2022-09-27 8:19 ` [PULL 12/24] hcd-ohci: Drop ohci_service_iso_td() if ed->head & OHCI_DPTR_MASK is zero Gerd Hoffmann
2022-09-27 8:19 ` [PULL 13/24] usb/msd: move usb_msd_packet_complete() Gerd Hoffmann
2022-09-27 8:19 ` [PULL 14/24] usb/msd: add usb_msd_fatal_error() and fix guest-triggerable assert Gerd Hoffmann
2022-09-27 8:19 ` [PULL 15/24] hcd-xhci: drop operation with secondary stream arrays enabled Gerd Hoffmann
2022-09-27 8:19 ` [PULL 16/24] usbnet: Add missing usb_wakeup() call in usbnet_receive() Gerd Hoffmann
2022-09-27 8:19 ` [PULL 17/24] usbnet: Accept mandatory USB_CDC_SET_ETHERNET_PACKET_FILTER request Gerd Hoffmann
2022-09-27 8:19 ` [PULL 18/24] usbnet: Detect short packets as sent by the xHCI controller Gerd Hoffmann
2022-09-27 8:19 ` [PULL 19/24] usbnet: Report link-up via interrupt endpoint in CDC-ECM mode Gerd Hoffmann
2022-09-27 8:19 ` [PULL 20/24] audio: Add sndio backend Gerd Hoffmann
2022-09-27 8:19 ` [PULL 21/24] Revert "audio: Log context for audio bug" Gerd Hoffmann
2022-09-27 8:19 ` [PULL 22/24] audio: remove abort() in audio_bug() Gerd Hoffmann
2022-09-27 8:19 ` Gerd Hoffmann [this message]
2022-09-27 8:19 ` [PULL 24/24] virtio-gpu: update scanout if there is any area covered by the rect Gerd Hoffmann
2022-09-27 15:04 ` [PULL 00/24] Kraxel 20220927 patches Stefan Hajnoczi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220927081912.180983-24-kraxel@redhat.com \
--to=kraxel@redhat.com \
--cc=Qiuhao.Li@outlook.com \
--cc=akihiko.odaki@gmail.com \
--cc=alex@caoua.org \
--cc=alxndr@bu.edu \
--cc=armbru@redhat.com \
--cc=bsd@redhat.com \
--cc=darren.kenny@oracle.com \
--cc=eblake@redhat.com \
--cc=f4bug@amsat.org \
--cc=lvivier@redhat.com \
--cc=mcascell@redhat.com \
--cc=mst@redhat.com \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=philmd@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=qiangliu@zju.edu.cn \
--cc=stefanha@redhat.com \
--cc=thuth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.