bump version to 2.7.1-501
[pve-qemu-kvm.git] / debian / patches / extra / 0004-cirrus-fix-oob-access-issue-CVE-2017-2615.patch
blobfb5914799e192f2d4d2d728bb45d5319924345cb
1 From e3ff618899e53791fdff5dbd3f8fa889a2ed7b1d Mon Sep 17 00:00:00 2001
2 From: Li Qiang <liqiang6-s@360.cn>
3 Date: Wed, 1 Feb 2017 09:35:01 +0100
4 Subject: [PATCH 4/4] cirrus: fix oob access issue (CVE-2017-2615)
6 When doing bitblt copy in backward mode, we should minus the
7 blt width first just like the adding in the forward mode. This
8 can avoid the oob access of the front of vga's vram.
10 Signed-off-by: Li Qiang <liqiang6-s@360.cn>
11 Reviewed-by: Laszlo Ersek <lersek@redhat.com>
12 Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
13 Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com
14 Message-id: 5887254f.863a240a.2c122.5500@mx.google.com
16 { kraxel: with backward blits (negative pitch) addr is the topmost
17 address, so check it as-is against vram size ]
19 Cc: qemu-stable@nongnu.org
20 Cc: P J P <ppandit@redhat.com>
21 Cc: Laszlo Ersek <lersek@redhat.com>
22 Cc: Paolo Bonzini <pbonzini@redhat.com>
23 Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
24 Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106)
25 Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
26 ---
27 hw/display/cirrus_vga.c | 7 +++----
28 1 file changed, 3 insertions(+), 4 deletions(-)
30 diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
31 index 7db6409..16f27e8 100644
32 --- a/hw/display/cirrus_vga.c
33 +++ b/hw/display/cirrus_vga.c
34 @@ -274,10 +274,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
36 if (pitch < 0) {
37 int64_t min = addr
38 - + ((int64_t)s->cirrus_blt_height-1) * pitch;
39 - int32_t max = addr
40 - + s->cirrus_blt_width;
41 - if (min < 0 || max > s->vga.vram_size) {
42 + + ((int64_t)s->cirrus_blt_height - 1) * pitch
43 + - s->cirrus_blt_width;
44 + if (min < -1 || addr >= s->vga.vram_size) {
45 return true;
47 } else {
48 --
49 2.1.4