vmware-vga: add rectangle verification (CVE-2014-3689)

-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAABAgAGBQJUUNNZAAoJEEy22O7T6HE4S3YP/jEHyGtodT6+Q2sTOFWX7y4q q4JP+xRONdLnY//7Xe8F2cZQffH0W5QS8DJxf4SaRVDVk2e2tvK2P9XiaMkekOEC zzfKxbvGozD4w2yrhVNAlQb4l1c09jcBuoa4T3JEXwdH28sq9TuOmGLNky7oEG2W nVEXcO14yMDHKCurbZuzvwxoc25XwY8Y2vTW558iLvGzFzXLMt3fIp2MIIcmQL1c lWQ2+6Ajeh2KzjpiWFym6fvMko3rM+IpdhYLNQE7PbbzsD9SynwWxnC3P6xSuSv9 WFMz1RWcoDOylosnXmjQgZFgpgwl2jnfX4MWDclWO3z0ooGgchKnR4b1eWyefV6b oFsG8Pl2duESYRyojhnglXoTqQnT/lf0j+MoeVWkMSADSYgKoGYIVwNtdFM4LXY2 0hlnuJl4uKbdCGmi1UWZ517h4sU1cdf4NuaQDLjkr2p4GREvGsUvww7ae++cxJtL xiqnheJOjrg6qM+P+N6x9Iqd3ChcsFF3xu5nKH/iO4nXgdsiL4sBqA0iUsVvujXV AQZyxBka81sXEdZBH1nOFuTj14TaStl8OCLWz2iOQj4fqAaMoibDeoSVUXnzo3CI HZ4fGnJ9j17qOJAv5VL8XnUOp8ZFGFpTFkVHhuZkqZyaMlP1t0ujpP/cUXrS1+Hm yabN/p6vO063JE23JN9W =Z1KH -----END PGP SIGNATURE----- Merge remote-tracking branch 'remotes/kraxel/tags/pull-cve-2014-3689-20141029-1' into staging vmware-vga: add rectangle verification (CVE-2014-3689) # gpg: Signature made Wed 29 Oct 2014 11:45:29 GMT using RSA key ID D3E87138 # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" # gpg: aka "Gerd Hoffmann <gerd@kraxel.org>" # gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>" * remotes/kraxel/tags/pull-cve-2014-3689-20141029-1: vmware-vga: use vmsvga_verify_rect in vmsvga_fill_rect vmware-vga: use vmsvga_verify_rect in vmsvga_copy_rect vmware-vga: use vmsvga_verify_rect in vmsvga_update_rect vmware-vga: add vmsvga_verify_rect vmware-vga: CVE-2014-3689: turn off hw accel Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-10-30 19:11:24 +00:00 · 2014-10-30 19:11:24 +00:00 · 4239e2dc01
parent fecd54ccd7 bd9ccd8517
commit 4239e2dc01
1 changed files with 79 additions and 39 deletions
--- a/hw/display/vmware_vga.c
+++ b/hw/display/vmware_vga.c
@ -292,8 +292,59 @@ enum {
    SVGA_CURSOR_ON_RESTORE_TO_FB = 3,
 };

+static inline bool vmsvga_verify_rect(DisplaySurface *surface,
+                                      const char *name,
+                                      int x, int y, int w, int h)
+{
+    if (x < 0) {
+        fprintf(stderr, "%s: x was < 0 (%d)\n", name, x);
+        return false;
+    }
+    if (x > SVGA_MAX_WIDTH) {
+        fprintf(stderr, "%s: x was > %d (%d)\n", name, SVGA_MAX_WIDTH, x);
+        return false;
+    }
+    if (w < 0) {
+        fprintf(stderr, "%s: w was < 0 (%d)\n", name, w);
+        return false;
+    }
+    if (w > SVGA_MAX_WIDTH) {
+        fprintf(stderr, "%s: w was > %d (%d)\n", name, SVGA_MAX_WIDTH, w);
+        return false;
+    }
+    if (x + w > surface_width(surface)) {
+        fprintf(stderr, "%s: width was > %d (x: %d, w: %d)\n",
+                name, surface_width(surface), x, w);
+        return false;
+    }
+
+    if (y < 0) {
+        fprintf(stderr, "%s: y was < 0 (%d)\n", name, y);
+        return false;
+    }
+    if (y > SVGA_MAX_HEIGHT) {
+        fprintf(stderr, "%s: y was > %d (%d)\n", name, SVGA_MAX_HEIGHT, y);
+        return false;
+    }
+    if (h < 0) {
+        fprintf(stderr, "%s: h was < 0 (%d)\n", name, h);
+        return false;
+    }
+    if (h > SVGA_MAX_HEIGHT) {
+        fprintf(stderr, "%s: h was > %d (%d)\n", name, SVGA_MAX_HEIGHT, h);
+        return false;
+    }
+    if (y + h > surface_height(surface)) {
+        fprintf(stderr, "%s: update height > %d (y: %d, h: %d)\n",
+                name, surface_height(surface), y, h);
+        return false;
+    }
+
+    return true;
+}
+
 static inline void vmsvga_update_rect(struct vmsvga_state_s *s,
-                int x, int y, int w, int h)
+                                      int x, int y, int w, int h)
 {
    DisplaySurface *surface = qemu_console_surface(s->vga.con);
    int line;
@ -303,36 +354,12 @@ static inline void vmsvga_update_rect(struct vmsvga_state_s *s,
    uint8_t *src;
    uint8_t *dst;

-    if (x < 0) {
-        fprintf(stderr, "%s: update x was < 0 (%d)\n", __func__, x);
-        w += x;
+    if (!vmsvga_verify_rect(surface, __func__, x, y, w, h)) {
+        /* go for a fullscreen update as fallback */
        x = 0;
-    }
-    if (w < 0) {
-        fprintf(stderr, "%s: update w was < 0 (%d)\n", __func__, w);
-        w = 0;
-    }
-    if (x + w > surface_width(surface)) {
-        fprintf(stderr, "%s: update width too large x: %d, w: %d\n",
-                __func__, x, w);
-        x = MIN(x, surface_width(surface));
-        w = surface_width(surface) - x;
-    }
-
-    if (y < 0) {
-        fprintf(stderr, "%s: update y was < 0 (%d)\n",  __func__, y);
-        h += y;
        y = 0;
-    }
-    if (h < 0) {
-        fprintf(stderr, "%s: update h was < 0 (%d)\n",  __func__, h);
-        h = 0;
-    }
-    if (y + h > surface_height(surface)) {
-        fprintf(stderr, "%s: update height too large y: %d, h: %d\n",
-                __func__, y, h);
-        y = MIN(y, surface_height(surface));
-        h = surface_height(surface) - y;
+        w = surface_width(surface);
+        h = surface_height(surface);
    }

    bypl = surface_stride(surface);
@ -377,7 +404,7 @@ static inline void vmsvga_update_rect_flush(struct vmsvga_state_s *s)
 }

 #ifdef HW_RECT_ACCEL
-static inline void vmsvga_copy_rect(struct vmsvga_state_s *s,
+static inline int vmsvga_copy_rect(struct vmsvga_state_s *s,
                int x0, int y0, int x1, int y1, int w, int h)
 {
    DisplaySurface *surface = qemu_console_surface(s->vga.con);
@ -388,6 +415,13 @@ static inline void vmsvga_copy_rect(struct vmsvga_state_s *s,
    int line = h;
    uint8_t *ptr[2];

+    if (!vmsvga_verify_rect(surface, "vmsvga_copy_rect/src", x0, y0, w, h)) {
+        return -1;
+    }
+    if (!vmsvga_verify_rect(surface, "vmsvga_copy_rect/dst", x1, y1, w, h)) {
+        return -1;
+    }
+
    if (y1 > y0) {
        ptr[0] = vram + bypp * x0 + bypl * (y0 + h - 1);
        ptr[1] = vram + bypp * x1 + bypl * (y1 + h - 1);
@ -403,11 +437,12 @@ static inline void vmsvga_copy_rect(struct vmsvga_state_s *s,
    }

    vmsvga_update_rect_delayed(s, x1, y1, w, h);
+    return 0;
 }
 #endif

 #ifdef HW_FILL_ACCEL
-static inline void vmsvga_fill_rect(struct vmsvga_state_s *s,
+static inline int vmsvga_fill_rect(struct vmsvga_state_s *s,
                uint32_t c, int x, int y, int w, int h)
 {
    DisplaySurface *surface = qemu_console_surface(s->vga.con);
@ -420,6 +455,10 @@ static inline void vmsvga_fill_rect(struct vmsvga_state_s *s,
    uint8_t *src;
    uint8_t col[4];

+    if (!vmsvga_verify_rect(surface, __func__, x, y, w, h)) {
+        return -1;
+    }
+
    col[0] = c;
    col[1] = c >> 8;
    col[2] = c >> 16;
@ -444,6 +483,7 @@ static inline void vmsvga_fill_rect(struct vmsvga_state_s *s,
    }

    vmsvga_update_rect_delayed(s, x, y, w, h);
+    return 0;
 }
 #endif

@ -576,12 +616,12 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
            width = vmsvga_fifo_read(s);
            height = vmsvga_fifo_read(s);
 #ifdef HW_FILL_ACCEL
-            vmsvga_fill_rect(s, colour, x, y, width, height);
-            break;
-#else
+            if (vmsvga_fill_rect(s, colour, x, y, width, height) == 0) {
+                break;
+            }
+#endif
            args = 0;
            goto badcmd;
-#endif

        case SVGA_CMD_RECT_COPY:
            len -= 7;
@ -596,12 +636,12 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
            width = vmsvga_fifo_read(s);
            height = vmsvga_fifo_read(s);
 #ifdef HW_RECT_ACCEL
-            vmsvga_copy_rect(s, x, y, dx, dy, width, height);
-            break;
-#else
+            if (vmsvga_copy_rect(s, x, y, dx, dy, width, height) == 0) {
+                break;
+            }
+#endif
            args = 0;
            goto badcmd;
-#endif

        case SVGA_CMD_DEFINE_CURSOR:
            len -= 8;