* [Qemu-devel] [PATCH] display: virtio-gpu-3d: check virgl capabilities max_size
@ 2016-12-14 7:01 P J P
2016-12-20 11:04 ` P J P
2016-12-20 11:08 ` Marc-André Lureau
0 siblings, 2 replies; 15+ messages in thread
From: P J P @ 2016-12-14 7:01 UTC (permalink / raw)
To: Qemu Developers
Cc: Zhenhao Hong, Marc-André Lureau, Gerd Hoffmann, Prasad J Pandit
From: Prasad J Pandit <pjp@fedoraproject.org>
Virtio GPU device while processing 'VIRTIO_GPU_CMD_GET_CAPSET'
command, retrieves the maximum capabilities size to fill in the
response object. It continues to fill in capabilities even if
retrieved 'max_size' is zero(0), thus resulting in OOB access.
Add check to avoid it.
Reported-by: Zhenhao Hong <zhenhaohong@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
hw/display/virtio-gpu-3d.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
index 758d33a..6ceeba3 100644
--- a/hw/display/virtio-gpu-3d.c
+++ b/hw/display/virtio-gpu-3d.c
@@ -370,8 +370,12 @@ static void virgl_cmd_get_capset(VirtIOGPU *g,
virgl_renderer_get_cap_set(gc.capset_id, &max_ver,
&max_size);
+ if (!max_size) {
+ cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
+ return;
+ }
+
resp = g_malloc(sizeof(*resp) + max_size);
-
resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
virgl_renderer_fill_caps(gc.capset_id,
gc.capset_version,
--
2.9.3
^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: [Qemu-devel] [PATCH] display: virtio-gpu-3d: check virgl capabilities max_size
2016-12-14 7:01 [Qemu-devel] [PATCH] display: virtio-gpu-3d: check virgl capabilities max_size P J P
@ 2016-12-20 11:04 ` P J P
2016-12-20 14:36 ` Gerd Hoffmann
2016-12-20 11:08 ` Marc-André Lureau
1 sibling, 1 reply; 15+ messages in thread
From: P J P @ 2016-12-20 11:04 UTC (permalink / raw)
To: Qemu Developers; +Cc: Zhenhao Hong, Marc-André Lureau, Gerd Hoffmann
+-- On Wed, 14 Dec 2016, P J P wrote --+
| From: Prasad J Pandit <pjp@fedoraproject.org>
|
| Virtio GPU device while processing 'VIRTIO_GPU_CMD_GET_CAPSET'
| command, retrieves the maximum capabilities size to fill in the
| response object. It continues to fill in capabilities even if
| retrieved 'max_size' is zero(0), thus resulting in OOB access.
| Add check to avoid it.
|
| Reported-by: Zhenhao Hong <zhenhaohong@gmail.com>
| Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
| ---
| hw/display/virtio-gpu-3d.c | 6 +++++-
| 1 file changed, 5 insertions(+), 1 deletion(-)
|
| diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
| index 758d33a..6ceeba3 100644
| --- a/hw/display/virtio-gpu-3d.c
| +++ b/hw/display/virtio-gpu-3d.c
| @@ -370,8 +370,12 @@ static void virgl_cmd_get_capset(VirtIOGPU *g,
|
| virgl_renderer_get_cap_set(gc.capset_id, &max_ver,
| &max_size);
| + if (!max_size) {
| + cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
| + return;
| + }
| +
| resp = g_malloc(sizeof(*resp) + max_size);
| -
| resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
| virgl_renderer_fill_caps(gc.capset_id,
| gc.capset_version,
|
Ping..!
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [Qemu-devel] [PATCH] display: virtio-gpu-3d: check virgl capabilities max_size
2016-12-14 7:01 [Qemu-devel] [PATCH] display: virtio-gpu-3d: check virgl capabilities max_size P J P
2016-12-20 11:04 ` P J P
@ 2016-12-20 11:08 ` Marc-André Lureau
2016-12-20 11:56 ` P J P
1 sibling, 1 reply; 15+ messages in thread
From: Marc-André Lureau @ 2016-12-20 11:08 UTC (permalink / raw)
To: P J P, Qemu Developers; +Cc: Zhenhao Hong, Gerd Hoffmann, Prasad J Pandit
Hi
On Wed, Dec 14, 2016 at 8:02 AM P J P <ppandit@redhat.com> wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
>
> Virtio GPU device while processing 'VIRTIO_GPU_CMD_GET_CAPSET'
> command, retrieves the maximum capabilities size to fill in the
> response object. It continues to fill in capabilities even if
> retrieved 'max_size' is zero(0), thus resulting in OOB access.
> Add check to avoid it.
>
> Reported-by: Zhenhao Hong <zhenhaohong@gmail.com>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> ---
> hw/display/virtio-gpu-3d.c | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
> index 758d33a..6ceeba3 100644
> --- a/hw/display/virtio-gpu-3d.c
> +++ b/hw/display/virtio-gpu-3d.c
> @@ -370,8 +370,12 @@ static void virgl_cmd_get_capset(VirtIOGPU *g,
>
> virgl_renderer_get_cap_set(gc.capset_id, &max_ver,
> &max_size);
> + if (!max_size) {
>
Shouldn't it check for >= sizeof(union virgl_caps) ? (since that's what
virglrenderer vrend_renderer_fill_caps() expects)
+ cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
> + return;
> + }
> +
> resp = g_malloc(sizeof(*resp) + max_size);
> -
> resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
> virgl_renderer_fill_caps(gc.capset_id,
> gc.capset_version,
> --
> 2.9.3
>
> --
Marc-André Lureau
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [Qemu-devel] [PATCH] display: virtio-gpu-3d: check virgl capabilities max_size
2016-12-20 11:08 ` Marc-André Lureau
@ 2016-12-20 11:56 ` P J P
2016-12-20 13:52 ` Marc-André Lureau
0 siblings, 1 reply; 15+ messages in thread
From: P J P @ 2016-12-20 11:56 UTC (permalink / raw)
To: Marc-André Lureau; +Cc: Qemu Developers, Zhenhao Hong, Gerd Hoffmann
Hello Marc,
+-- On Tue, 20 Dec 2016, Marc-André Lureau wrote --+
| > + if (!max_size) {
|
| Shouldn't it check for >= sizeof(union virgl_caps) ? (since that's what
| virglrenderer vrend_renderer_fill_caps() expects)
No, 'max_size' isn't set by a user, it's set by the library function
'vrend_renderer_get_cap_set'.
-> https://cgit.freedesktop.org/~airlied/virglrenderer/tree/src/vrend_renderer.c#n6280
And if not zero, it'll be set to sizeof(union virgl_caps).
Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [Qemu-devel] [PATCH] display: virtio-gpu-3d: check virgl capabilities max_size
2016-12-20 11:56 ` P J P
@ 2016-12-20 13:52 ` Marc-André Lureau
0 siblings, 0 replies; 15+ messages in thread
From: Marc-André Lureau @ 2016-12-20 13:52 UTC (permalink / raw)
To: P J P; +Cc: Qemu Developers, Zhenhao Hong, Gerd Hoffmann
Hi
On Tue, Dec 20, 2016 at 12:56 PM P J P <ppandit@redhat.com> wrote:
> Hello Marc,
>
> +-- On Tue, 20 Dec 2016, Marc-André Lureau wrote --+
> | > + if (!max_size) {
> |
> | Shouldn't it check for >= sizeof(union virgl_caps) ? (since that's what
> | virglrenderer vrend_renderer_fill_caps() expects)
>
> No, 'max_size' isn't set by a user, it's set by the library function
> 'vrend_renderer_get_cap_set'.
>
> ->
> https://cgit.freedesktop.org/~airlied/virglrenderer/tree/src/vrend_renderer.c#n6280
>
> And if not zero, it'll be set to sizeof(union virgl_caps).
>
ok
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
>
> Thank you.
> --
> Prasad J Pandit / Red Hat Product Security Team
> 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
--
Marc-André Lureau
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [Qemu-devel] [PATCH] display: virtio-gpu-3d: check virgl capabilities max_size
2016-12-20 11:04 ` P J P
@ 2016-12-20 14:36 ` Gerd Hoffmann
0 siblings, 0 replies; 15+ messages in thread
From: Gerd Hoffmann @ 2016-12-20 14:36 UTC (permalink / raw)
To: P J P; +Cc: Qemu Developers, Zhenhao Hong, Marc-André Lureau
On Di, 2016-12-20 at 16:34 +0530, P J P wrote:
>
> Ping..!
Queued up now. But I don't feel like sending a pull request hours
before disappearing into the xmas holidays, so that'll happen in
january.
cheers,
Gerd
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [Qemu-devel] [PATCH] display: virtio-gpu-3d: check virgl capabilities max_size
2016-12-13 16:01 ` Marc-André Lureau
@ 2016-12-14 7:03 ` P J P
0 siblings, 0 replies; 15+ messages in thread
From: P J P @ 2016-12-14 7:03 UTC (permalink / raw)
To: Marc-André Lureau; +Cc: Gerd Hoffmann, Zhenhao Hong, Qemu Developers
+-- On Tue, 13 Dec 2016, Marc-André Lureau wrote --+
| > - resp = g_malloc(sizeof(*resp) + max_size);
| > + if (!max_size) {
| > + cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
| > + return;
| > + }
| >
| > + resp = g_malloc(sizeof(*resp) + max_size);
| > resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
|
| That looks good to me, waiting for the proper patch.
Okay, sent. Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [Qemu-devel] [PATCH] display: virtio-gpu-3d: check virgl capabilities max_size
2016-12-13 14:26 ` P J P
@ 2016-12-13 16:01 ` Marc-André Lureau
2016-12-14 7:03 ` P J P
0 siblings, 1 reply; 15+ messages in thread
From: Marc-André Lureau @ 2016-12-13 16:01 UTC (permalink / raw)
To: P J P, Gerd Hoffmann; +Cc: Zhenhao Hong, Qemu Developers
Hi
On Tue, Dec 13, 2016 at 5:27 PM P J P <ppandit@redhat.com> wrote:
> +-- On Tue, 13 Dec 2016, Gerd Hoffmann wrote --+
> | I guess we want throw an error (VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER)
> | in the error case then instead of leaving resp->hdr.type unset.
>
> I see, okay. Does the patch below look okay?
>
> ===
> diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
> index 758d33a..6ceeba3 100644
> --- a/hw/display/virtio-gpu-3d.c
> +++ b/hw/display/virtio-gpu-3d.c
> @@ -370,8 +370,12 @@ static void virgl_cmd_get_capset(VirtIOGPU *g,
>
> virgl_renderer_get_cap_set(gc.capset_id, &max_ver,
> &max_size);
> - resp = g_malloc(sizeof(*resp) + max_size);
> + if (!max_size) {
> + cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
> + return;
> + }
>
> + resp = g_malloc(sizeof(*resp) + max_size);
> resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
> virgl_renderer_fill_caps(gc.capset_id,
> gc.capset_version,
> ===
>
>
That looks good to me, waiting for the proper patch.
> Thank you.
> --
> Prasad J Pandit / Red Hat Product Security Team
> 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
>
> --
Marc-André Lureau
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [Qemu-devel] [PATCH] display: virtio-gpu-3d: check virgl capabilities max_size
2016-12-13 12:07 ` Gerd Hoffmann
@ 2016-12-13 14:26 ` P J P
2016-12-13 16:01 ` Marc-André Lureau
0 siblings, 1 reply; 15+ messages in thread
From: P J P @ 2016-12-13 14:26 UTC (permalink / raw)
To: Gerd Hoffmann; +Cc: Qemu Developers, Zhenhao Hong
+-- On Tue, 13 Dec 2016, Gerd Hoffmann wrote --+
| I guess we want throw an error (VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER)
| in the error case then instead of leaving resp->hdr.type unset.
I see, okay. Does the patch below look okay?
===
diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
index 758d33a..6ceeba3 100644
--- a/hw/display/virtio-gpu-3d.c
+++ b/hw/display/virtio-gpu-3d.c
@@ -370,8 +370,12 @@ static void virgl_cmd_get_capset(VirtIOGPU *g,
virgl_renderer_get_cap_set(gc.capset_id, &max_ver,
&max_size);
- resp = g_malloc(sizeof(*resp) + max_size);
+ if (!max_size) {
+ cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
+ return;
+ }
+ resp = g_malloc(sizeof(*resp) + max_size);
resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
virgl_renderer_fill_caps(gc.capset_id,
gc.capset_version,
===
Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: [Qemu-devel] [PATCH] display: virtio-gpu-3d: check virgl capabilities max_size
2016-12-13 11:50 ` P J P
@ 2016-12-13 12:07 ` Gerd Hoffmann
2016-12-13 14:26 ` P J P
0 siblings, 1 reply; 15+ messages in thread
From: Gerd Hoffmann @ 2016-12-13 12:07 UTC (permalink / raw)
To: P J P; +Cc: Qemu Developers, Zhenhao Hong
> | This is not the guest returning the size, it is the host renderer
> | library saying how much space it needs ...
>
> The library funcion checks 'capset_id' supplied via the 'cmd' object, as
> 'gc' is initialised from a given command 'cmd'. It sets 'max_size=0' if
> capset_id != VREND_CAP_SET.
Ah, ok, that makes sense.
I guess we want throw an error (VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER)
in the error case then instead of leaving resp->hdr.type unset.
cheers,
Gerd
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [Qemu-devel] [PATCH] display: virtio-gpu-3d: check virgl capabilities max_size
2016-12-13 11:17 ` Gerd Hoffmann
@ 2016-12-13 11:50 ` P J P
2016-12-13 12:07 ` Gerd Hoffmann
0 siblings, 1 reply; 15+ messages in thread
From: P J P @ 2016-12-13 11:50 UTC (permalink / raw)
To: Gerd Hoffmann; +Cc: Qemu Developers, Zhenhao Hong
Hello Gerd,
+-- On Tue, 13 Dec 2016, Gerd Hoffmann wrote --+
| On Di, 2016-12-13 at 12:44 +0530, P J P wrote:
| > From: Prasad J Pandit <pjp@fedoraproject.org>
| >
| > Virtio GPU device while processing 'VIRTIO_GPU_CMD_GET_CAPSET'
| > command, retrieves the maximum capabilities size to fill in the
| > response object. It continues to fill in capabilities even if
| > retrieved 'max_size' is zero(0), thus resulting in OOB access.
| > Add check to avoid it.
|
| Hmm? Did you see this happing in practice?
Yes, there is a reproducer from Zhenhao.
| > diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
| > index 758d33a..fbfb39f 100644
| > --- a/hw/display/virtio-gpu-3d.c
| > +++ b/hw/display/virtio-gpu-3d.c
| > @@ -371,11 +371,12 @@ static void virgl_cmd_get_capset(VirtIOGPU *g,
| > virgl_renderer_get_cap_set(gc.capset_id, &max_ver,
| > &max_size);
|
| This is not the guest returning the size, it is the host renderer
| library saying how much space it needs ...
The library funcion checks 'capset_id' supplied via the 'cmd' object, as
'gc' is initialised from a given command 'cmd'. It sets 'max_size=0' if
capset_id != VREND_CAP_SET.
VIRTIO_GPU_FILL_CMD(gc)
virgl_renderer_get_cap_set(gc.capset_id
-> vrend_renderer_get_cap_set
-> https://cgit.freedesktop.org/~airlied/virglrenderer/tree/src/vrend_renderer.c#n6280
if (cap_set != VREND_CAP_SET) {
*max_ver = 0;
*max_size = 0;
return;
}
| > - virgl_renderer_fill_caps(gc.capset_id,
| > - gc.capset_version,
| > - (void *)resp->capset_data);
|
| ... and here the renderer fills the qemu-allocated space with the actual
| data.
|
| Can't see anything wrong here.
IIUC, when max_size=0, g_malloc allocates memory for the 'resp' object,
with sizeof(capset_data)=0. But 'virgl_renderer_fill_caps' would try to fill
in upto sizeof(union virgl_caps).
-> https://cgit.freedesktop.org/~airlied/virglrenderer/tree/src/vrend_renderer.c#n5940
Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [Qemu-devel] [PATCH] display: virtio-gpu-3d: check virgl capabilities max_size
2016-12-13 10:52 ` Pankaj Gupta
@ 2016-12-13 11:33 ` P J P
0 siblings, 0 replies; 15+ messages in thread
From: P J P @ 2016-12-13 11:33 UTC (permalink / raw)
To: Pankaj Gupta; +Cc: Qemu Developers, Zhenhao Hong, Gerd Hoffmann
+-- On Tue, 13 Dec 2016, Pankaj Gupta wrote --+
| > + if (max_size) {
| > + resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
| > + virgl_renderer_fill_caps(gc.capset_id,
| > + gc.capset_version,
| > + (void *)resp->capset_data);
| > + }
| > virtio_gpu_ctrl_response(g, cmd, &resp->hdr, sizeof(*resp) + max_size);
|
| Just one point here for 'max_size=0', do we don't require to set resp->hdr.type?
I thought hdr.type is if capabilities data is set.
| If yes, other patch on list by 'Li Qiang' can also help to avoid sending garbage value.
g_malloc0 one? Yes.
Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [Qemu-devel] [PATCH] display: virtio-gpu-3d: check virgl capabilities max_size
2016-12-13 7:14 P J P
2016-12-13 10:52 ` Pankaj Gupta
@ 2016-12-13 11:17 ` Gerd Hoffmann
2016-12-13 11:50 ` P J P
1 sibling, 1 reply; 15+ messages in thread
From: Gerd Hoffmann @ 2016-12-13 11:17 UTC (permalink / raw)
To: P J P; +Cc: Qemu Developers, Zhenhao Hong, Prasad J Pandit
On Di, 2016-12-13 at 12:44 +0530, P J P wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
>
> Virtio GPU device while processing 'VIRTIO_GPU_CMD_GET_CAPSET'
> command, retrieves the maximum capabilities size to fill in the
> response object. It continues to fill in capabilities even if
> retrieved 'max_size' is zero(0), thus resulting in OOB access.
> Add check to avoid it.
Hmm? Did you see this happing in practice?
> diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
> index 758d33a..fbfb39f 100644
> --- a/hw/display/virtio-gpu-3d.c
> +++ b/hw/display/virtio-gpu-3d.c
> @@ -371,11 +371,12 @@ static void virgl_cmd_get_capset(VirtIOGPU *g,
> virgl_renderer_get_cap_set(gc.capset_id, &max_ver,
> &max_size);
This is not the guest returning the size, it is the host renderer
library saying how much space it needs ...
> resp = g_malloc(sizeof(*resp) + max_size);
> -
> - resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
> - virgl_renderer_fill_caps(gc.capset_id,
> - gc.capset_version,
> - (void *)resp->capset_data);
... and here the renderer fills the qemu-allocated space with the actual
data.
Can't see anything wrong here. It's not that we process untrusted data
without checking. If a buffer overflow happens here this would clearly
be a bug in the virglrenderer library, because the size advertised and
the size actually needed mismatch.
cheers,
Gerd
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [Qemu-devel] [PATCH] display: virtio-gpu-3d: check virgl capabilities max_size
2016-12-13 7:14 P J P
@ 2016-12-13 10:52 ` Pankaj Gupta
2016-12-13 11:33 ` P J P
2016-12-13 11:17 ` Gerd Hoffmann
1 sibling, 1 reply; 15+ messages in thread
From: Pankaj Gupta @ 2016-12-13 10:52 UTC (permalink / raw)
To: P J P; +Cc: Qemu Developers, Zhenhao Hong, Gerd Hoffmann, Prasad J Pandit
>
> From: Prasad J Pandit <pjp@fedoraproject.org>
>
> Virtio GPU device while processing 'VIRTIO_GPU_CMD_GET_CAPSET'
> command, retrieves the maximum capabilities size to fill in the
> response object. It continues to fill in capabilities even if
> retrieved 'max_size' is zero(0), thus resulting in OOB access.
> Add check to avoid it.
>
> Reported-by: Zhenhao Hong <zhenhaohong@gmail.com>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> ---
> hw/display/virtio-gpu-3d.c | 11 ++++++-----
> 1 file changed, 6 insertions(+), 5 deletions(-)
>
> diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
> index 758d33a..fbfb39f 100644
> --- a/hw/display/virtio-gpu-3d.c
> +++ b/hw/display/virtio-gpu-3d.c
> @@ -371,11 +371,12 @@ static void virgl_cmd_get_capset(VirtIOGPU *g,
> virgl_renderer_get_cap_set(gc.capset_id, &max_ver,
> &max_size);
> resp = g_malloc(sizeof(*resp) + max_size);
> -
> - resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
> - virgl_renderer_fill_caps(gc.capset_id,
> - gc.capset_version,
> - (void *)resp->capset_data);
> + if (max_size) {
> + resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
> + virgl_renderer_fill_caps(gc.capset_id,
> + gc.capset_version,
> + (void *)resp->capset_data);
> + }
> virtio_gpu_ctrl_response(g, cmd, &resp->hdr, sizeof(*resp) + max_size);
Just one point here for 'max_size=0', do we don't require to set resp->hdr.type?
If yes, other patch on list by 'Li Qiang' can also help to avoid sending garbage value.
> g_free(resp);
> }
> --
> 2.9.3
>
>
>
^ permalink raw reply [flat|nested] 15+ messages in thread
* [Qemu-devel] [PATCH] display: virtio-gpu-3d: check virgl capabilities max_size
@ 2016-12-13 7:14 P J P
2016-12-13 10:52 ` Pankaj Gupta
2016-12-13 11:17 ` Gerd Hoffmann
0 siblings, 2 replies; 15+ messages in thread
From: P J P @ 2016-12-13 7:14 UTC (permalink / raw)
To: Qemu Developers; +Cc: Gerd Hoffmann, Zhenhao Hong, Prasad J Pandit
From: Prasad J Pandit <pjp@fedoraproject.org>
Virtio GPU device while processing 'VIRTIO_GPU_CMD_GET_CAPSET'
command, retrieves the maximum capabilities size to fill in the
response object. It continues to fill in capabilities even if
retrieved 'max_size' is zero(0), thus resulting in OOB access.
Add check to avoid it.
Reported-by: Zhenhao Hong <zhenhaohong@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
hw/display/virtio-gpu-3d.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
index 758d33a..fbfb39f 100644
--- a/hw/display/virtio-gpu-3d.c
+++ b/hw/display/virtio-gpu-3d.c
@@ -371,11 +371,12 @@ static void virgl_cmd_get_capset(VirtIOGPU *g,
virgl_renderer_get_cap_set(gc.capset_id, &max_ver,
&max_size);
resp = g_malloc(sizeof(*resp) + max_size);
-
- resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
- virgl_renderer_fill_caps(gc.capset_id,
- gc.capset_version,
- (void *)resp->capset_data);
+ if (max_size) {
+ resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
+ virgl_renderer_fill_caps(gc.capset_id,
+ gc.capset_version,
+ (void *)resp->capset_data);
+ }
virtio_gpu_ctrl_response(g, cmd, &resp->hdr, sizeof(*resp) + max_size);
g_free(resp);
}
--
2.9.3
^ permalink raw reply related [flat|nested] 15+ messages in thread
end of thread, other threads:[~2016-12-20 14:36 UTC | newest]
Thread overview: 15+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-12-14 7:01 [Qemu-devel] [PATCH] display: virtio-gpu-3d: check virgl capabilities max_size P J P
2016-12-20 11:04 ` P J P
2016-12-20 14:36 ` Gerd Hoffmann
2016-12-20 11:08 ` Marc-André Lureau
2016-12-20 11:56 ` P J P
2016-12-20 13:52 ` Marc-André Lureau
-- strict thread matches above, loose matches on Subject: below --
2016-12-13 7:14 P J P
2016-12-13 10:52 ` Pankaj Gupta
2016-12-13 11:33 ` P J P
2016-12-13 11:17 ` Gerd Hoffmann
2016-12-13 11:50 ` P J P
2016-12-13 12:07 ` Gerd Hoffmann
2016-12-13 14:26 ` P J P
2016-12-13 16:01 ` Marc-André Lureau
2016-12-14 7:03 ` P J P
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.