File CVE-2017-15289-qemut-cirrus-OOB-access-issue-in... of Package xen

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2017-15289-qemut-cirrus-OOB-access-issue-in-mode4and5-write-functions.patch of Package xen (Revision bfe509e81d010b78c9467e82b8053baa)

Currently displaying revision bfe509e81d010b78c9467e82b8053baa , Show latest

Move dst calculation into the loop, so we apply the mask on each
interation and will not overflow vga memory.

Cc: Prasad J Pandit <address@hidden>
Reported-by: Niu Guoxiang <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>
---
 hw/display/cirrus_vga.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

Index: xen-4.9.0-testing/tools/qemu-xen-traditional-dir-remote/hw/cirrus_vga.c
===================================================================
--- xen-4.9.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/cirrus_vga.c
+++ xen-4.9.0-testing/tools/qemu-xen-traditional-dir-remote/hw/cirrus_vga.c
@@ -2004,15 +2004,14 @@ static void cirrus_mem_writeb_mode4and5_
     unsigned val = mem_value;
     uint8_t *dst;
 
-    dst = s->vram_ptr + (offset &= s->cirrus_addr_mask);
     for (x = 0; x < 8; x++) {
+        dst = s->vram_ptr + ((offset + x) & s->cirrus_addr_mask);
 	if (val & 0x80) {
 	    *dst = s->cirrus_shadow_gr1;
 	} else if (mode == 5) {
 	    *dst = s->cirrus_shadow_gr0;
 	}
 	val <<= 1;
-	dst++;
     }
     cpu_physical_memory_set_dirty(s->vram_offset + offset);
     cpu_physical_memory_set_dirty(s->vram_offset + offset + 7);
@@ -2027,8 +2026,8 @@ static void cirrus_mem_writeb_mode4and5_
     unsigned val = mem_value;
     uint8_t *dst;
 
-    dst = s->vram_ptr + (offset &= s->cirrus_addr_mask);
     for (x = 0; x < 8; x++) {
+        dst = s->vram_ptr + ((offset + 2 * x) & s->cirrus_addr_mask & ~1);
 	if (val & 0x80) {
 	    *dst = s->cirrus_shadow_gr1;
 	    *(dst + 1) = s->gr[0x11];
@@ -2037,7 +2036,6 @@ static void cirrus_mem_writeb_mode4and5_
 	    *(dst + 1) = s->gr[0x10];
 	}
 	val <<= 1;
-	dst += 2;
     }
     cpu_physical_memory_set_dirty(s->vram_offset + offset);
     cpu_physical_memory_set_dirty(s->vram_offset + offset + 15);

Places

File CVE-2017-15289-qemut-cirrus-OOB-access-issue-in-mode4and5-write-functions.patch of Package xen (Revision bfe509e81d010b78c9467e82b8053baa)

Places