hw/display/qxl: Avoid buffer overrun in qxl_phys2virt (CVE-2022-4144) - focaccia-qemu - Unnamed repository; edit this file 'description' to name the repository.

diff options

author	Philippe Mathieu-Daudé <philmd@linaro.org>	2022-11-28 21:27:40 +0100
committer	Stefan Hajnoczi <stefanha@redhat.com>	2022-11-29 18:15:26 -0500
commit	6dbbf055148c6f1b7d8a3251a65bd6f3d1e1f622 (patch)
tree	6f549781b5b384c4a27fb72b49ee9320841d711e /docs/devel/writing-monitor-commands.rst
parent	8efec0ef8bbc1e75a7ebf6e325a35806ece9b39f (diff)
download	focaccia-qemu-6dbbf055148c6f1b7d8a3251a65bd6f3d1e1f622.tar.gz focaccia-qemu-6dbbf055148c6f1b7d8a3251a65bd6f3d1e1f622.zip

hw/display/qxl: Avoid buffer overrun in qxl_phys2virt (CVE-2022-4144)

Have qxl_get_check_slot_offset() return false if the requested
buffer size does not fit within the slot memory region.

Similarly qxl_phys2virt() now returns NULL in such case, and
qxl_dirty_one_surface() aborts.

This avoids buffer overrun in the host pointer returned by
memory_region_get_ram_ptr().

Fixes: CVE-2022-4144 (out-of-bounds read)
Reported-by: Wenxu Yin (@awxylitol)
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1336
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-Id: <20221128202741.4945-5-philmd@linaro.org>

Diffstat (limited to 'docs/devel/writing-monitor-commands.rst')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: