Re: Xen Security Advisory 208 (CVE-2017-2615) - oob access in cirrus bitblt copy

Re: Xen Security Advisory 208 (CVE-2017-2615) - oob access in cirrus bitblt copy

[Michael Young]

On Fri, 10 Feb 2017, Xen.org security team wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>            Xen Security Advisory CVE-2017-2615 / XSA-208
>
>                   oob access in cirrus bitblt copy

The qemu-xen-traditional patch is malformed, as the file it tries to patch 
is at the xen-qemu location and the before and after line counts are 
wrong, so

--- a/hw/display/cirrus_vga.c
+++ b/hw/display/cirrus_vga.c
@@ -307,11 +307,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,

should be (if I have got the offset right)

--- a/hw/cirrus_vga.c
+++ b/hw/cirrus_vga.c
@@ -308,10 +308,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,

 	Michael Young

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [Xen-users] Xen Security Advisory 208 (CVE-2017-2615) - oob access in cirrus bitblt copy

[Roger Pau Monné]

On Fri, Feb 10, 2017 at 12:43:17PM +0000, Xen.org security team wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
>             Xen Security Advisory CVE-2017-2615 / XSA-208
> 
>                    oob access in cirrus bitblt copy
> 
> ISSUE DESCRIPTION
> =================
> 
> When doing bitblt copy backwards, qemu should negate the blit width.
> This avoids an oob access before the start of video memory.
> 
> IMPACT
> ======
> 
> A malicious guest administrator can cause an out of bounds memory
> access, possibly leading to information disclosure or privilege
> escalation.
> 
> VULNERABLE SYSTEMS
> ==================
> 
> Versions of qemu shipped with all Xen versions are vulnerable.
> 
> Xen systems running on x86 with HVM guests, with the qemu process
> running in dom0 are vulnerable.
> 
> Only guests provided with the "cirrus" emulated video card can exploit
> the vulnerability.  The non-default "stdvga" emulated video card is
> not vulnerable.  (With xl the emulated video card is controlled by the
> "stdvga=" and "vga=" domain configuration options.)
> 
> ARM systems are not vulnerable.  Systems using only PV guests are not
> vulnerable.
> 
> For VMs whose qemu process is running in a stub domain, a successful
> attacker will only gain the privileges of that stubdom, which should
> be only over the guest itself.
> 
> Both upstream-based versions of qemu (device_model_version="qemu-xen")
> and `traditional' qemu (device_model_version="qemu-xen-traditional")
> are vulnerable.
> 
> MITIGATION
> ==========
> 
> Running only PV guests will avoid the issue.
> 
> Running HVM guests with the device model in a stubdomain will mitigate
> the issue.
> 
> Changing the video card emulation to stdvga (stdvga=1, vga="stdvga",
> in the xl domain configuration) will avoid the vulnerability.
> 
> RESOLUTION
> ==========
> 
> Applying the appropriate attached patch resolves this issue.
> 
> xsa208-qemuu.patch    qemu-xen, mainline qemu

The patch doesn't apply cleanly against the QEMU-upstream found in Xen 4.7.1:

http://beefy9.nyi.freebsd.org/data/110amd64-default/433828/logs/xen-tools-4.7.1_2.log

Roger.

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [Xen-users] Xen Security Advisory 208 (CVE-2017-2615) - oob access in cirrus bitblt copy

[George Dunlap]

On Sat, Feb 11, 2017 at 8:49 AM, Roger Pau Monné <roger.pau@citrix.com> wrote:
> On Fri, Feb 10, 2017 at 12:43:17PM +0000, Xen.org security team wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>>             Xen Security Advisory CVE-2017-2615 / XSA-208
>>
>>                    oob access in cirrus bitblt copy
>>
>> ISSUE DESCRIPTION
>> =================
>>
>> When doing bitblt copy backwards, qemu should negate the blit width.
>> This avoids an oob access before the start of video memory.
>>
>> IMPACT
>> ======
>>
>> A malicious guest administrator can cause an out of bounds memory
>> access, possibly leading to information disclosure or privilege
>> escalation.
>>
>> VULNERABLE SYSTEMS
>> ==================
>>
>> Versions of qemu shipped with all Xen versions are vulnerable.
>>
>> Xen systems running on x86 with HVM guests, with the qemu process
>> running in dom0 are vulnerable.
>>
>> Only guests provided with the "cirrus" emulated video card can exploit
>> the vulnerability.  The non-default "stdvga" emulated video card is
>> not vulnerable.  (With xl the emulated video card is controlled by the
>> "stdvga=" and "vga=" domain configuration options.)
>>
>> ARM systems are not vulnerable.  Systems using only PV guests are not
>> vulnerable.
>>
>> For VMs whose qemu process is running in a stub domain, a successful
>> attacker will only gain the privileges of that stubdom, which should
>> be only over the guest itself.
>>
>> Both upstream-based versions of qemu (device_model_version="qemu-xen")
>> and `traditional' qemu (device_model_version="qemu-xen-traditional")
>> are vulnerable.
>>
>> MITIGATION
>> ==========
>>
>> Running only PV guests will avoid the issue.
>>
>> Running HVM guests with the device model in a stubdomain will mitigate
>> the issue.
>>
>> Changing the video card emulation to stdvga (stdvga=1, vga="stdvga",
>> in the xl domain configuration) will avoid the vulnerability.
>>
>> RESOLUTION
>> ==========
>>
>> Applying the appropriate attached patch resolves this issue.
>>
>> xsa208-qemuu.patch    qemu-xen, mainline qemu
>
> The patch doesn't apply cleanly against the QEMU-upstream found in Xen 4.7.1:
>
> http://beefy9.nyi.freebsd.org/data/110amd64-default/433828/logs/xen-tools-4.7.1_2.log

I'm working on an updated advisory., but in the meantime, Stefano
checked in backported patches to the qemu-xen tree already; you can
get those from the staging-4.* branches.

(That doesn't address the qemu-traditional issues -- for those you'll
have to wait for the updated advisory.)

 -George

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Xen Security Advisory 208 (CVE-2017-2615) - oob access in cirrus bitblt copy

[Xen.org security team]

[-- Attachment #1: Type: text/plain, Size: 3050 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2017-2615 / XSA-208
                              version 2

                   oob access in cirrus bitblt copy

UPDATES IN VERSION 2
====================

Included backport for qemu-xen versions 4.7 (and earlier); fixed
qemu-xen-traditional patch.  Also included proper (non-obscured)
e-mail addresses from upstream patch.

Removed "possibly" from Impact.

3 patches updated

ISSUE DESCRIPTION
=================

When doing bitblt copy backwards, qemu should negate the blit width.
This avoids an oob access before the start of video memory.

IMPACT
======

A malicious guest administrator can cause an out of bounds memory
access, leading to information disclosure or privilege escalation.

VULNERABLE SYSTEMS
==================

Versions of qemu shipped with all Xen versions are vulnerable.

Xen systems running on x86 with HVM guests, with the qemu process
running in dom0 are vulnerable.

Only guests provided with the "cirrus" emulated video card can exploit
the vulnerability.  The non-default "stdvga" emulated video card is
not vulnerable.  (With xl the emulated video card is controlled by the
"stdvga=" and "vga=" domain configuration options.)

ARM systems are not vulnerable.  Systems using only PV guests are not
vulnerable.

For VMs whose qemu process is running in a stub domain, a successful
attacker will only gain the privileges of that stubdom, which should
be only over the guest itself.

Both upstream-based versions of qemu (device_model_version="qemu-xen")
and `traditional' qemu (device_model_version="qemu-xen-traditional")
are vulnerable.

MITIGATION
==========

Running only PV guests will avoid the issue.

Running HVM guests with the device model in a stubdomain will mitigate
the issue.

Changing the video card emulation to stdvga (stdvga=1, vga="stdvga",
in the xl domain configuration) will avoid the vulnerability.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa208-qemuu.patch       mainline qemu, qemu-xen master,4.8
xsa208-qemuu-4.7.patch   qemu-xen 4.4, 4.5, 4.6, 4.7
xsa208-qemut.patch       qemu-xen-traditional

$ sha256sum xsa208*
afde3e9d4bf5225f92c36dec9ff673b0b1b0bad4452d406f0c12edc85e2fec72  xsa208-qemut.patch
e492d528141be5899d46c2ac0bcd0c40ca9d9bfc40906a8e7a565361f17ce38d  xsa208-qemuu.patch
09471b66c9d9fc5616e7b96ab67bbb51987e7d9520d1b81cb27cbbb168659ad5  xsa208-qemuu-4.7.patch
$


NOTE REGARDING LACK OF EMBARGO
==============================

This issue has already been publicly disclosed.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJYofdiAAoJEIP+FMlX6CvZ3UEIAMJUV177OqZ0O7436zYpM9S+
fEku8b/G7npRcm0L9PtD8PG39IVtqrtIDHIpzMxHA0qbMx3PqWp1G3iBVwFnj21e
ALtKjdNaoDA8nqFEQ3/AbyZ7jn91oYWwmJ7+pKGds+Q+juFof6FVOXCjhNp0XSA6
EDvsz8vOI4fWTtEuVGbg1GnvgEAjKLE9/bE/4zdkWo2WSiWRRCj/yEAr5n0v0R5n
0EEvk21H0XESk2zBk0/UxompNuqbHwOZhBkQ65DxNSkWMIA9hUgqyinR674luHKC
mDkAq8bXar6n1TBQCbWq5f/+50FOApEs0EvJuzWAG7MEkFPaeDSilFb6obhxHjo=
=294C
-----END PGP SIGNATURE-----

[-- Attachment #2: xsa208-qemut.patch --]
[-- Type: application/octet-stream, Size: 1919 bytes --]

From 8f63265efeb6f92e63f7e749cb26131b68b20df7 Mon Sep 17 00:00:00 2001
From: Li Qiang <liqiang6-s@360.cn>
Date: Mon, 13 Feb 2017 15:22:15 +0000
Subject: [PATCH] cirrus: fix oob access issue (CVE-2017-2615)

When doing bitblt copy in backward mode, we should minus the
blt width first just like the adding in the forward mode. This
can avoid the oob access of the front of vga's vram.

This is XSA-208.

upstream-commit-id: 62d4c6bd5263bb8413a06c80144fc678df6dfb64

Signed-off-by: Li Qiang <liqiang6-s@360.cn>

{ kraxel: with backward blits (negative pitch) addr is the topmost
          address, so check it as-is against vram size ]

[ This is CVE-2017-2615 / XSA-208  - Ian Jackson ]

Cc: qemu-stable@nongnu.org
Cc: P J P <ppandit@redhat.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106)
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
---
 hw/cirrus_vga.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/hw/cirrus_vga.c b/hw/cirrus_vga.c
index e6c3893..364e22d 100644
--- a/hw/cirrus_vga.c
+++ b/hw/cirrus_vga.c
@@ -308,10 +308,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
 {
     if (pitch < 0) {
         int64_t min = addr
-            + ((int64_t)s->cirrus_blt_height-1) * pitch;
-        int32_t max = addr
-            + s->cirrus_blt_width;
-        if (min < 0 || max >= s->vram_size) {
+            + ((int64_t)s->cirrus_blt_height - 1) * pitch
+            - s->cirrus_blt_width;
+        if (min < -1 || addr >= s->vram_size) {
             return true;
         }
     } else {
-- 
2.1.4


[-- Attachment #3: xsa208-qemuu.patch --]
[-- Type: application/octet-stream, Size: 1916 bytes --]

From 8f63265efeb6f92e63f7e749cb26131b68b20df7 Mon Sep 17 00:00:00 2001
From: Li Qiang <liqiang6-s@360.cn>
Date: Mon, 13 Feb 2017 15:22:15 +0000
Subject: [PATCH] cirrus: fix oob access issue (CVE-2017-2615)

When doing bitblt copy in backward mode, we should minus the
blt width first just like the adding in the forward mode. This
can avoid the oob access of the front of vga's vram.

This is XSA-208.

upstream-commit-id: 62d4c6bd5263bb8413a06c80144fc678df6dfb64

Signed-off-by: Li Qiang <liqiang6-s@360.cn>

{ kraxel: with backward blits (negative pitch) addr is the topmost
          address, so check it as-is against vram size ]

[ This is CVE-2017-2615 / XSA-208  - Ian Jackson ]

Cc: qemu-stable@nongnu.org
Cc: P J P <ppandit@redhat.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106)
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
---
 hw/display/cirrus_vga.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
index bdb092e..3bbe3d5 100644
--- a/hw/display/cirrus_vga.c
+++ b/hw/display/cirrus_vga.c
@@ -277,10 +277,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
     }
     if (pitch < 0) {
         int64_t min = addr
-            + ((int64_t)s->cirrus_blt_height-1) * pitch;
-        int32_t max = addr
-            + s->cirrus_blt_width;
-        if (min < 0 || max > s->vga.vram_size) {
+            + ((int64_t)s->cirrus_blt_height - 1) * pitch
+            - s->cirrus_blt_width;
+        if (min < -1 || addr >= s->vga.vram_size) {
             return true;
         }
     } else {
-- 
1.8.3.1

[-- Attachment #4: xsa208-qemuu-4.7.patch --]
[-- Type: application/octet-stream, Size: 1860 bytes --]

From 8f63265efeb6f92e63f7e749cb26131b68b20df7 Mon Sep 17 00:00:00 2001
From: Li Qiang <liqiang6-s@360.cn>
Date: Mon, 13 Feb 2017 15:22:15 +0000
Subject: [PATCH] cirrus: fix oob access issue (CVE-2017-2615)

When doing bitblt copy in backward mode, we should minus the
blt width first just like the adding in the forward mode. This
can avoid the oob access of the front of vga's vram.

This is XSA-208.

upstream-commit-id: 62d4c6bd5263bb8413a06c80144fc678df6dfb64

Signed-off-by: Li Qiang <liqiang6-s@360.cn>

{ kraxel: with backward blits (negative pitch) addr is the topmost
          address, so check it as-is against vram size ]

Cc: qemu-stable@nongnu.org
Cc: P J P <ppandit@redhat.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106)
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
---
 hw/display/cirrus_vga.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
index 5198037..7bf3707 100644
--- a/hw/display/cirrus_vga.c
+++ b/hw/display/cirrus_vga.c
@@ -272,10 +272,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
 {
     if (pitch < 0) {
         int64_t min = addr
-            + ((int64_t)s->cirrus_blt_height-1) * pitch;
-        int32_t max = addr
-            + s->cirrus_blt_width;
-        if (min < 0 || max >= s->vga.vram_size) {
+            + ((int64_t)s->cirrus_blt_height - 1) * pitch
+            - s->cirrus_blt_width;
+        if (min < -1 || addr >= s->vga.vram_size) {
             return true;
         }
     } else {
-- 
2.1.4


[-- Attachment #5: Type: text/plain, Size: 127 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Xen Security Advisory 208 (CVE-2017-2615) - oob access in cirrus bitblt copy

[Xen.org security team]

[-- Attachment #1: Type: text/plain, Size: 2596 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2017-2615 / XSA-208

                   oob access in cirrus bitblt copy

ISSUE DESCRIPTION
=================

When doing bitblt copy backwards, qemu should negate the blit width.
This avoids an oob access before the start of video memory.

IMPACT
======

A malicious guest administrator can cause an out of bounds memory
access, possibly leading to information disclosure or privilege
escalation.

VULNERABLE SYSTEMS
==================

Versions of qemu shipped with all Xen versions are vulnerable.

Xen systems running on x86 with HVM guests, with the qemu process
running in dom0 are vulnerable.

Only guests provided with the "cirrus" emulated video card can exploit
the vulnerability.  The non-default "stdvga" emulated video card is
not vulnerable.  (With xl the emulated video card is controlled by the
"stdvga=" and "vga=" domain configuration options.)

ARM systems are not vulnerable.  Systems using only PV guests are not
vulnerable.

For VMs whose qemu process is running in a stub domain, a successful
attacker will only gain the privileges of that stubdom, which should
be only over the guest itself.

Both upstream-based versions of qemu (device_model_version="qemu-xen")
and `traditional' qemu (device_model_version="qemu-xen-traditional")
are vulnerable.

MITIGATION
==========

Running only PV guests will avoid the issue.

Running HVM guests with the device model in a stubdomain will mitigate
the issue.

Changing the video card emulation to stdvga (stdvga=1, vga="stdvga",
in the xl domain configuration) will avoid the vulnerability.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa208-qemuu.patch    qemu-xen, mainline qemu
xsa208-qemut.patch    qemu-xen-traditional

$ sha256sum xsa208*
4369cce9b72daf2418a1b9dd7be6529c312b447b814c44d634bab462e80a15f5  xsa208-qemut.patch
1e516e3df1091415b6ba34aaf54fa67eac91e22daceaad569b11baa2316c78ba  xsa208-qemuu.patch
$


NOTE REGARDING LACK OF EMBARGO
==============================

This issue has already been publicly disclosed.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJYnbVQAAoJEIP+FMlX6CvZs2sIAKtkU1ptqojrE6GpgdMegdIS
hMcCcEVdDoYt47z9BxXcNA87kyjGLbIaliACF3GQclhBy8f6Ytm6MLQMvh79YO/l
8AvZELKSo5U/Z1El/HQ/ezzWTV15FHwdG64HvDf7SdlRquVyS0fxWLuiq8gmWXRd
bpGcbAwwdRHvrvguMpajif89ZfTWPSHRq8onS1C96SBJW8aUXxzzyKWoX1EvNWN3
vnKC5eXQ5uhLERmh6meIZo2OwB7PlMTuasgVJan915/CGF8CS+B5wqQmiL0uxfRT
fnTBVTfXHC/TzkkREJtnwgHIEv/E+Vygheeg/2P9bEaNkiN3CG5kK/ZOxgWNYU4=
=eEKh
-----END PGP SIGNATURE-----

[-- Attachment #2: xsa208-qemut.patch --]
[-- Type: application/octet-stream, Size: 1518 bytes --]

From: Li Qiang <address@hidden>

When doing bitblt copy in backward mode, we should minus the
blt width first just like the adding in the forward mode. This
can avoid the oob access of the front of vga's vram.

Signed-off-by: Li Qiang <address@hidden>
Message-id: address@hidden

{ kraxel: with backward blits (negative pitch) addr is the topmost
          address, so check it as-is against vram size ]

[ This is CVE-2017-2615 / XSA-208  - Ian Jackson ]

Cc: address@hidden
Cc: P J P <address@hidden>
Cc: Laszlo Ersek <address@hidden>
Cc: Paolo Bonzini <address@hidden>
Cc: Wolfgang Bumiller <address@hidden>
Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106)
Signed-off-by: Gerd Hoffmann <address@hidden>
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
---
 hw/display/cirrus_vga.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
index bdb092e..3bbe3d5 100644
--- a/hw/display/cirrus_vga.c
+++ b/hw/display/cirrus_vga.c
@@ -307,11 +307,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
 {
     if (pitch < 0) {
         int64_t min = addr
-            + ((int64_t)s->cirrus_blt_height-1) * pitch;
-        int32_t max = addr
-            + s->cirrus_blt_width;
-        if (min < 0 || max >= s->vram_size) {
+            + ((int64_t)s->cirrus_blt_height - 1) * pitch
+            - s->cirrus_blt_width;
+        if (min < -1 || addr >= s->vram_size) {
             return true;
         }
     } else {

[-- Attachment #3: xsa208-qemuu.patch --]
[-- Type: application/octet-stream, Size: 1486 bytes --]

From: Li Qiang <address@hidden>

When doing bitblt copy in backward mode, we should minus the
blt width first just like the adding in the forward mode. This
can avoid the oob access of the front of vga's vram.

Signed-off-by: Li Qiang <address@hidden>
Message-id: address@hidden

{ kraxel: with backward blits (negative pitch) addr is the topmost
          address, so check it as-is against vram size ]

[ This is CVE-2017-2615 / XSA-208  - Ian Jackson ]

Cc: address@hidden
Cc: P J P <address@hidden>
Cc: Laszlo Ersek <address@hidden>
Cc: Paolo Bonzini <address@hidden>
Cc: Wolfgang Bumiller <address@hidden>
Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106)
Signed-off-by: Gerd Hoffmann <address@hidden>
---
 hw/display/cirrus_vga.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
index bdb092e..3bbe3d5 100644
--- a/hw/display/cirrus_vga.c
+++ b/hw/display/cirrus_vga.c
@@ -277,10 +277,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
     }
     if (pitch < 0) {
         int64_t min = addr
-            + ((int64_t)s->cirrus_blt_height-1) * pitch;
-        int32_t max = addr
-            + s->cirrus_blt_width;
-        if (min < 0 || max > s->vga.vram_size) {
+            + ((int64_t)s->cirrus_blt_height - 1) * pitch
+            - s->cirrus_blt_width;
+        if (min < -1 || addr >= s->vga.vram_size) {
             return true;
         }
     } else {
-- 
1.8.3.1

[-- Attachment #4: Type: text/plain, Size: 127 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel