File CVE-2017-13672-qemuu-vga-OOB-read-access-during-display-update.patch of Package xen.7673
Subject: vga: stop passing pointers to vga_draw_line* functions
From: Gerd Hoffmann kraxel@redhat.com Mon Aug 28 14:29:06 2017 +0200
Date: Fri Sep 1 13:52:43 2017 +0200:
Git: 3d90c6254863693a6b13d918d2b8682e08bbc681
Instead pass around the address (aka offset into vga memory).
Add vga_read_* helper functions which apply vbe_size_mask to
the address, to make sure the address stays within the valid
range, similar to the cirrus blitter fixes (commits ffaf857778
and 026aeffcb4).
Impact: DoS for privileged guest users. qemu crashes with
a segfault, when hitting the guard page after vga memory
allocation, while reading vga memory for display updates.
Fixes: CVE-2017-13672
Cc: P J P <ppandit@redhat.com>
Reported-by: David Buchanan <d@vidbuchanan.co.uk>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 20170828122906.18993-1-kraxel@redhat.com
Index: xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/display/vga_template.h
===================================================================
--- xen-4.4.4-testing.orig/tools/qemu-xen-dir-remote/hw/display/vga_template.h
+++ xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/display/vga_template.h
@@ -154,17 +154,17 @@ static void glue(vga_draw_glyph9_, DEPTH
/*
* 4 color mode
*/
-static void glue(vga_draw_line2_, DEPTH)(VGACommonState *s1, uint8_t *d,
- const uint8_t *s, int width)
+static void glue(vga_draw_line2_, DEPTH)(VGACommonState *vga, uint8_t *d,
+ uint32_t addr, int width)
{
uint32_t plane_mask, *palette, data, v;
int x;
- palette = s1->last_palette;
- plane_mask = mask16[s1->ar[VGA_ATC_PLANE_ENABLE] & 0xf];
+ palette = vga->last_palette;
+ plane_mask = mask16[vga->ar[VGA_ATC_PLANE_ENABLE] & 0xf];
width >>= 3;
for(x = 0; x < width; x++) {
- data = ((uint32_t *)s)[0];
+ data = vga_read_dword_le(vga, addr);
data &= plane_mask;
v = expand2[GET_PLANE(data, 0)];
v |= expand2[GET_PLANE(data, 2)] << 2;
@@ -180,7 +180,7 @@ static void glue(vga_draw_line2_, DEPTH)
((PIXEL_TYPE *)d)[6] = palette[(v >> 4) & 0xf];
((PIXEL_TYPE *)d)[7] = palette[(v >> 0) & 0xf];
d += BPP * 8;
- s += 4;
+ addr += 4;
}
}
@@ -196,17 +196,17 @@ static void glue(vga_draw_line2_, DEPTH)
/*
* 4 color mode, dup2 horizontal
*/
-static void glue(vga_draw_line2d2_, DEPTH)(VGACommonState *s1, uint8_t *d,
- const uint8_t *s, int width)
+static void glue(vga_draw_line2d2_, DEPTH)(VGACommonState *vga, uint8_t *d,
+ uint32_t addr, int width)
{
uint32_t plane_mask, *palette, data, v;
int x;
- palette = s1->last_palette;
- plane_mask = mask16[s1->ar[VGA_ATC_PLANE_ENABLE] & 0xf];
+ palette = vga->last_palette;
+ plane_mask = mask16[vga->ar[VGA_ATC_PLANE_ENABLE] & 0xf];
width >>= 3;
for(x = 0; x < width; x++) {
- data = ((uint32_t *)s)[0];
+ data = vga_read_dword_le(vga, addr);
data &= plane_mask;
v = expand2[GET_PLANE(data, 0)];
v |= expand2[GET_PLANE(data, 2)] << 2;
@@ -222,24 +222,24 @@ static void glue(vga_draw_line2d2_, DEPT
PUT_PIXEL2(d, 6, palette[(v >> 4) & 0xf]);
PUT_PIXEL2(d, 7, palette[(v >> 0) & 0xf]);
d += BPP * 16;
- s += 4;
+ addr += 4;
}
}
/*
* 16 color mode
*/
-static void glue(vga_draw_line4_, DEPTH)(VGACommonState *s1, uint8_t *d,
- const uint8_t *s, int width)
+static void glue(vga_draw_line4_, DEPTH)(VGACommonState *vga, uint8_t *d,
+ uint32_t addr, int width)
{
uint32_t plane_mask, data, v, *palette;
int x;
- palette = s1->last_palette;
- plane_mask = mask16[s1->ar[VGA_ATC_PLANE_ENABLE] & 0xf];
+ palette = vga->last_palette;
+ plane_mask = mask16[vga->ar[VGA_ATC_PLANE_ENABLE] & 0xf];
width >>= 3;
for(x = 0; x < width; x++) {
- data = ((uint32_t *)s)[0];
+ data = vga_read_dword_le(vga, addr);
data &= plane_mask;
v = expand4[GET_PLANE(data, 0)];
v |= expand4[GET_PLANE(data, 1)] << 1;
@@ -254,24 +254,24 @@ static void glue(vga_draw_line4_, DEPTH)
((PIXEL_TYPE *)d)[6] = palette[(v >> 4) & 0xf];
((PIXEL_TYPE *)d)[7] = palette[(v >> 0) & 0xf];
d += BPP * 8;
- s += 4;
+ addr += 4;
}
}
/*
* 16 color mode, dup2 horizontal
*/
-static void glue(vga_draw_line4d2_, DEPTH)(VGACommonState *s1, uint8_t *d,
- const uint8_t *s, int width)
+static void glue(vga_draw_line4d2_, DEPTH)(VGACommonState *vga, uint8_t *d,
+ uint32_t addr, int width)
{
uint32_t plane_mask, data, v, *palette;
int x;
- palette = s1->last_palette;
- plane_mask = mask16[s1->ar[VGA_ATC_PLANE_ENABLE] & 0xf];
+ palette = vga->last_palette;
+ plane_mask = mask16[vga->ar[VGA_ATC_PLANE_ENABLE] & 0xf];
width >>= 3;
for(x = 0; x < width; x++) {
- data = ((uint32_t *)s)[0];
+ data = vga_read_dword_le(vga, addr);
data &= plane_mask;
v = expand4[GET_PLANE(data, 0)];
v |= expand4[GET_PLANE(data, 1)] << 1;
@@ -286,7 +286,7 @@ static void glue(vga_draw_line4d2_, DEPT
PUT_PIXEL2(d, 6, palette[(v >> 4) & 0xf]);
PUT_PIXEL2(d, 7, palette[(v >> 0) & 0xf]);
d += BPP * 16;
- s += 4;
+ addr += 4;
}
}
@@ -295,21 +295,21 @@ static void glue(vga_draw_line4d2_, DEPT
*
* XXX: add plane_mask support (never used in standard VGA modes)
*/
-static void glue(vga_draw_line8d2_, DEPTH)(VGACommonState *s1, uint8_t *d,
- const uint8_t *s, int width)
+static void glue(vga_draw_line8d2_, DEPTH)(VGACommonState *vga, uint8_t *d,
+ uint32_t addr, int width)
{
uint32_t *palette;
int x;
- palette = s1->last_palette;
+ palette = vga->last_palette;
width >>= 3;
for(x = 0; x < width; x++) {
- PUT_PIXEL2(d, 0, palette[s[0]]);
- PUT_PIXEL2(d, 1, palette[s[1]]);
- PUT_PIXEL2(d, 2, palette[s[2]]);
- PUT_PIXEL2(d, 3, palette[s[3]]);
+ PUT_PIXEL2(d, 0, palette[vga_read_byte(vga, addr + 0)]);
+ PUT_PIXEL2(d, 1, palette[vga_read_byte(vga, addr + 1)]);
+ PUT_PIXEL2(d, 2, palette[vga_read_byte(vga, addr + 2)]);
+ PUT_PIXEL2(d, 3, palette[vga_read_byte(vga, addr + 3)]);
d += BPP * 8;
- s += 4;
+ addr += 4;
}
}
@@ -318,25 +318,25 @@ static void glue(vga_draw_line8d2_, DEPT
*
* XXX: add plane_mask support (never used in standard VGA modes)
*/
-static void glue(vga_draw_line8_, DEPTH)(VGACommonState *s1, uint8_t *d,
- const uint8_t *s, int width)
+static void glue(vga_draw_line8_, DEPTH)(VGACommonState *vga, uint8_t *d,
+ uint32_t addr, int width)
{
uint32_t *palette;
int x;
- palette = s1->last_palette;
+ palette = vga->last_palette;
width >>= 3;
for(x = 0; x < width; x++) {
- ((PIXEL_TYPE *)d)[0] = palette[s[0]];
- ((PIXEL_TYPE *)d)[1] = palette[s[1]];
- ((PIXEL_TYPE *)d)[2] = palette[s[2]];
- ((PIXEL_TYPE *)d)[3] = palette[s[3]];
- ((PIXEL_TYPE *)d)[4] = palette[s[4]];
- ((PIXEL_TYPE *)d)[5] = palette[s[5]];
- ((PIXEL_TYPE *)d)[6] = palette[s[6]];
- ((PIXEL_TYPE *)d)[7] = palette[s[7]];
+ ((uint32_t *)d)[0] = palette[vga_read_byte(vga, addr + 0)];
+ ((uint32_t *)d)[1] = palette[vga_read_byte(vga, addr + 1)];
+ ((uint32_t *)d)[2] = palette[vga_read_byte(vga, addr + 2)];
+ ((uint32_t *)d)[3] = palette[vga_read_byte(vga, addr + 3)];
+ ((uint32_t *)d)[4] = palette[vga_read_byte(vga, addr + 4)];
+ ((uint32_t *)d)[5] = palette[vga_read_byte(vga, addr + 5)];
+ ((uint32_t *)d)[6] = palette[vga_read_byte(vga, addr + 6)];
+ ((uint32_t *)d)[7] = palette[vga_read_byte(vga, addr + 7)];
d += BPP * 8;
- s += 8;
+ addr += 8;
}
}
@@ -348,23 +348,23 @@ static void glue(vga_draw_line8_, DEPTH)
/*
* 15 bit color
*/
-static void glue(vga_draw_line15_, PIXEL_NAME)(VGACommonState *s1, uint8_t *d,
- const uint8_t *s, int width)
+static void glue(vga_draw_line15_, PIXEL_NAME)(VGACommonState *vga, uint8_t *d,
+ uint32_t addr, int width)
{
#if DEPTH == 15 && defined(HOST_WORDS_BIGENDIAN) == defined(TARGET_WORDS_BIGENDIAN)
- memcpy(d, s, width * 2);
+ memcpy(d, (uint8_t *)addr, width * 2);
#else
int w;
uint32_t v, r, g, b;
w = width;
do {
- v = lduw_raw((void *)s);
+ v = vga_read_word_le(vga, addr);
r = (v >> 7) & 0xf8;
g = (v >> 2) & 0xf8;
b = (v << 3) & 0xf8;
((PIXEL_TYPE *)d)[0] = glue(rgb_to_pixel, PIXEL_NAME)(r, g, b);
- s += 2;
+ addr += 2;
d += BPP;
} while (--w != 0);
#endif
@@ -373,23 +373,23 @@ static void glue(vga_draw_line15_, PIXEL
/*
* 16 bit color
*/
-static void glue(vga_draw_line16_, PIXEL_NAME)(VGACommonState *s1, uint8_t *d,
- const uint8_t *s, int width)
+static void glue(vga_draw_line16_, PIXEL_NAME)(VGACommonState *vga, uint8_t *d,
+ uint32_t addr, int width)
{
#if DEPTH == 16 && defined(HOST_WORDS_BIGENDIAN) == defined(TARGET_WORDS_BIGENDIAN)
- memcpy(d, s, width * 2);
+ memcpy(d, (uint8_t *)addr, width * 2);
#else
int w;
uint32_t v, r, g, b;
w = width;
do {
- v = lduw_raw((void *)s);
+ v = vga_read_word_le(vga, addr);
r = (v >> 8) & 0xf8;
g = (v >> 3) & 0xfc;
b = (v << 3) & 0xf8;
((PIXEL_TYPE *)d)[0] = glue(rgb_to_pixel, PIXEL_NAME)(r, g, b);
- s += 2;
+ addr += 2;
d += BPP;
} while (--w != 0);
#endif
@@ -398,8 +398,8 @@ static void glue(vga_draw_line16_, PIXEL
/*
* 24 bit color
*/
-static void glue(vga_draw_line24_, PIXEL_NAME)(VGACommonState *s1, uint8_t *d,
- const uint8_t *s, int width)
+static void glue(vga_draw_line24_, PIXEL_NAME)(VGACommonState *vga, uint8_t *d,
+ uint32_t addr, int width)
{
int w;
uint32_t r, g, b;
@@ -407,16 +407,16 @@ static void glue(vga_draw_line24_, PIXEL
w = width;
do {
#if defined(TARGET_WORDS_BIGENDIAN)
- r = s[0];
- g = s[1];
- b = s[2];
+ r = vga_read_byte(vga, addr + 0);
+ g = vga_read_byte(vga, addr + 1);
+ b = vga_read_byte(vga, addr + 2);
#else
- b = s[0];
- g = s[1];
- r = s[2];
+ b = vga_read_byte(vga, addr + 0);
+ g = vga_read_byte(vga, addr + 1);
+ r = vga_read_byte(vga, addr + 2);
#endif
((PIXEL_TYPE *)d)[0] = glue(rgb_to_pixel, PIXEL_NAME)(r, g, b);
- s += 3;
+ addr += 3;
d += BPP;
} while (--w != 0);
}
@@ -424,11 +424,11 @@ static void glue(vga_draw_line24_, PIXEL
/*
* 32 bit color
*/
-static void glue(vga_draw_line32_, PIXEL_NAME)(VGACommonState *s1, uint8_t *d,
- const uint8_t *s, int width)
+static void glue(vga_draw_line32_, PIXEL_NAME)(VGACommonState *vga, uint8_t *d,
+ uint32_t addr, int width)
{
#if DEPTH == 32 && defined(HOST_WORDS_BIGENDIAN) == defined(TARGET_WORDS_BIGENDIAN) && !defined(BGR_FORMAT)
- memcpy(d, s, width * 4);
+ memcpy(d, (uint8_t *)addr, width * 4);
#else
int w;
uint32_t r, g, b;
@@ -436,16 +436,16 @@ static void glue(vga_draw_line32_, PIXEL
w = width;
do {
#if defined(TARGET_WORDS_BIGENDIAN)
- r = s[1];
- g = s[2];
- b = s[3];
+ r = vga_read_byte(vga, addr + 0);
+ g = vga_read_byte(vga, addr + 1);
+ b = vga_read_byte(vga, addr + 2);
#else
- b = s[0];
- g = s[1];
- r = s[2];
+ b = vga_read_byte(vga, addr + 0);
+ g = vga_read_byte(vga, addr + 1);
+ r = vga_read_byte(vga, addr + 2);
#endif
((PIXEL_TYPE *)d)[0] = glue(rgb_to_pixel, PIXEL_NAME)(r, g, b);
- s += 4;
+ addr += 4;
d += BPP;
} while (--w != 0);
#endif
Index: xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/display/vga.c
===================================================================
--- xen-4.4.4-testing.orig/tools/qemu-xen-dir-remote/hw/display/vga.c
+++ xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/display/vga.c
@@ -1054,7 +1054,33 @@ typedef void vga_draw_glyph9_func(uint8_
const uint8_t *font_ptr, int h,
uint32_t fgcol, uint32_t bgcol, int dup9);
typedef void vga_draw_line_func(VGACommonState *s1, uint8_t *d,
- const uint8_t *s, int width);
+ uint32_t srcaddr, int width);
+
+static inline uint8_t vga_read_byte(VGACommonState *vga, uint32_t addr)
+{
+ return vga->vram_ptr[addr & vga->vbe_size_mask];
+}
+
+static inline uint16_t vga_read_word_le(VGACommonState *vga, uint32_t addr)
+{
+ uint32_t offset = addr & vga->vbe_size_mask & ~1;
+ uint16_t *ptr = (uint16_t *)(vga->vram_ptr + offset);
+ return lduw_le_p(ptr);
+}
+
+static inline uint16_t vga_read_word_be(VGACommonState *vga, uint32_t addr)
+{
+ uint32_t offset = addr & vga->vbe_size_mask & ~1;
+ uint16_t *ptr = (uint16_t *)(vga->vram_ptr + offset);
+ return lduw_be_p(ptr);
+}
+
+static inline uint32_t vga_read_dword_le(VGACommonState *vga, uint32_t addr)
+{
+ uint32_t offset = addr & vga->vbe_size_mask & ~3;
+ uint32_t *ptr = (uint32_t *)(vga->vram_ptr + offset);
+ return ldl_le_p(ptr);
+}
#define DEPTH 8
#include "vga_template.h"
@@ -1888,7 +1914,7 @@ static void vga_draw_graphic(VGACommonSt
if (page1 > page_max)
page_max = page1;
if (!(is_buffer_shared(surface))) {
- vga_draw_line(s, d, s->vram_ptr + addr, width);
+ vga_draw_line(s, d, addr, width);
if (s->cursor_draw_line)
s->cursor_draw_line(s, d, y);
}
@@ -2358,6 +2384,7 @@ void vga_common_init(VGACommonState *s,
}
expand4to8[i] = v;
}
+ s->vbe_size_mask = s->vbe_size - 1;
/* valid range: 1 MB -> 256 MB */
s->vram_size = 1024 * 1024;
Index: xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/display/vga_int.h
===================================================================
--- xen-4.4.4-testing.orig/tools/qemu-xen-dir-remote/hw/display/vga_int.h
+++ xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/display/vga_int.h
@@ -94,6 +94,7 @@ typedef struct VGACommonState {
uint32_t vram_size;
uint32_t vram_size_mb; /* property */
uint32_t vbe_size;
+ uint32_t vbe_size_mask;
uint32_t latch;
MemoryRegion *chain4_alias;
uint8_t sr_index;
