All of lore.kernel.org
 help / color / mirror / Atom feed
* [Qemu-devel] [PULL 0/1] Vga 20180312 patches
@ 2018-03-12 10:59 Gerd Hoffmann
  2018-03-12 10:59 ` [Qemu-devel] [PULL 1/1] vga: fix region calculation Gerd Hoffmann
  2018-03-12 19:40 ` [Qemu-devel] [PULL 0/1] Vga 20180312 patches Peter Maydell
  0 siblings, 2 replies; 4+ messages in thread
From: Gerd Hoffmann @ 2018-03-12 10:59 UTC (permalink / raw)
  To: qemu-devel; +Cc: Gerd Hoffmann

The following changes since commit e4ae62b802cec437f877f2cadc4ef059cc0eca76:

  Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' into staging (2018-03-09 17:28:16 +0000)

are available in the git repository at:

  git://git.kraxel.org/qemu tags/vga-20180312-pull-request

for you to fetch changes up to 7cdc61becd095b64a786b2625f321624e7111f3d:

  vga: fix region calculation (2018-03-12 11:45:21 +0100)

----------------------------------------------------------------
7cdc61becd vga: fix region calculation

----------------------------------------------------------------

Gerd Hoffmann (1):
  vga: fix region calculation

 hw/display/vga.c | 2 ++
 1 file changed, 2 insertions(+)

-- 
2.9.3

^ permalink raw reply	[flat|nested] 4+ messages in thread
* [Qemu-devel] [PULL 1/1] vga: fix region calculation
  2018-03-12 10:59 [Qemu-devel] [PULL 0/1] Vga 20180312 patches Gerd Hoffmann
@ 2018-03-12 10:59 ` Gerd Hoffmann
  2018-03-13 16:13   ` Mark Kanda
  2018-03-12 19:40 ` [Qemu-devel] [PULL 0/1] Vga 20180312 patches Peter Maydell
  1 sibling, 1 reply; 4+ messages in thread
From: Gerd Hoffmann @ 2018-03-12 10:59 UTC (permalink / raw)
  To: qemu-devel; +Cc: Gerd Hoffmann

Typically the scanline length and the line offset are identical.  But
in case they are not our calculation for region_end is incorrect.  Using
line_offset is fine for all scanlines, except the last one where we have
to use the actual scanline length.

Fixes: CVE-2018-7550
Reported-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
Tested-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Message-id: 20180309143704.13420-1-kraxel@redhat.com
---
 hw/display/vga.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/hw/display/vga.c b/hw/display/vga.c
index 28f298b342..72181330b8 100644
--- a/hw/display/vga.c
+++ b/hw/display/vga.c
@@ -1483,6 +1483,8 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
 
     region_start = (s->start_addr * 4);
     region_end = region_start + (ram_addr_t)s->line_offset * height;
+    region_end += width * s->get_bpp(s) / 8; /* scanline length */
+    region_end -= s->line_offset;
     if (region_end > s->vbe_size) {
         /* wraps around (can happen with cirrus vbe modes) */
         region_start = 0;
-- 
2.9.3

^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [Qemu-devel] [PULL 0/1] Vga 20180312 patches
  2018-03-12 10:59 [Qemu-devel] [PULL 0/1] Vga 20180312 patches Gerd Hoffmann
  2018-03-12 10:59 ` [Qemu-devel] [PULL 1/1] vga: fix region calculation Gerd Hoffmann
@ 2018-03-12 19:40 ` Peter Maydell
  1 sibling, 0 replies; 4+ messages in thread
From: Peter Maydell @ 2018-03-12 19:40 UTC (permalink / raw)
  To: Gerd Hoffmann; +Cc: QEMU Developers

On 12 March 2018 at 10:59, Gerd Hoffmann <kraxel@redhat.com> wrote:
> The following changes since commit e4ae62b802cec437f877f2cadc4ef059cc0eca76:
>
>   Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' into staging (2018-03-09 17:28:16 +0000)
>
> are available in the git repository at:
>
>   git://git.kraxel.org/qemu tags/vga-20180312-pull-request
>
> for you to fetch changes up to 7cdc61becd095b64a786b2625f321624e7111f3d:
>
>   vga: fix region calculation (2018-03-12 11:45:21 +0100)
>
> ----------------------------------------------------------------
> 7cdc61becd vga: fix region calculation
>
> ----------------------------------------------------------------
>
> Gerd Hoffmann (1):
>   vga: fix region calculation
>
>  hw/display/vga.c | 2 ++
>  1 file changed, 2 insertions(+)
>
> --

Applied, thanks.

-- PMM

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [Qemu-devel] [PULL 1/1] vga: fix region calculation
  2018-03-12 10:59 ` [Qemu-devel] [PULL 1/1] vga: fix region calculation Gerd Hoffmann
@ 2018-03-13 16:13   ` Mark Kanda
  0 siblings, 0 replies; 4+ messages in thread
From: Mark Kanda @ 2018-03-13 16:13 UTC (permalink / raw)
  To: qemu-devel

On 3/12/2018 5:59 AM, Gerd Hoffmann wrote:
> Typically the scanline length and the line offset are identical.  But
> in case they are not our calculation for region_end is incorrect.  Using
> line_offset is fine for all scanlines, except the last one where we have
> to use the actual scanline length.
> 
> Fixes: CVE-2018-7550

This doesn't appear to be the correct CVE number.

https://nvd.nist.gov/vuln/detail/CVE-2018-7550

..please confirm..

Thanks,

-Mark

> Reported-by: Ross Lagerwall <ross.lagerwall@citrix.com>
> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
> Tested-by: Ross Lagerwall <ross.lagerwall@citrix.com>
> Message-id: 20180309143704.13420-1-kraxel@redhat.com
> ---
>   hw/display/vga.c | 2 ++
>   1 file changed, 2 insertions(+)
> 
> diff --git a/hw/display/vga.c b/hw/display/vga.c
> index 28f298b342..72181330b8 100644
> --- a/hw/display/vga.c
> +++ b/hw/display/vga.c
> @@ -1483,6 +1483,8 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
>   
>       region_start = (s->start_addr * 4);
>       region_end = region_start + (ram_addr_t)s->line_offset * height;
> +    region_end += width * s->get_bpp(s) / 8; /* scanline length */
> +    region_end -= s->line_offset;
>       if (region_end > s->vbe_size) {
>           /* wraps around (can happen with cirrus vbe modes) */
>           region_start = 0;
> 

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-03-13 16:18 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-03-12 10:59 [Qemu-devel] [PULL 0/1] Vga 20180312 patches Gerd Hoffmann
2018-03-12 10:59 ` [Qemu-devel] [PULL 1/1] vga: fix region calculation Gerd Hoffmann
2018-03-13 16:13   ` Mark Kanda
2018-03-12 19:40 ` [Qemu-devel] [PULL 0/1] Vga 20180312 patches Peter Maydell

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.