File CVE-2017-18030-qemut-out-of-bounds-access-in-cirrus_invalidate_region-routine.patch of Package xen.openSUSE_Leap_42.3_Update

Subject: cirrus: handle negative pitch in cirrus_invalidate_region()
From: Wolfgang Bumiller w.bumiller@proxmox.com Wed Jan 25 14:48:57 2017 +0100
Date: Wed Feb 1 09:41:53 2017 +0100:
Git: f153b563f8cf121aebf5a2fff5f0110faf58ccb3

cirrus_invalidate_region() calls memory_region_set_dirty()
on a per-line basis, always ranging from off_begin to
off_begin+bytesperline. With a negative pitch off_begin
marks the top most used address and thus we need to do an
initial shift backwards by a line for negative pitches of
backward blits, otherwise the first iteration covers the
line going from the start offset forwards instead of
backwards.
Additionally since the start address is inclusive, if we
shift by a full `bytesperline` we move to the first address
*not* included in the blit, so we only shift by one less
than bytesperline.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Message-id: 1485352137-29367-1-git-send-email-w.bumiller@proxmox.com

[ kraxel: codestyle fixes ]

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

Index: xen-4.9.1-testing/tools/qemu-xen-traditional-dir-remote/hw/cirrus_vga.c
===================================================================
--- xen-4.9.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/cirrus_vga.c
+++ xen-4.9.1-testing/tools/qemu-xen-traditional-dir-remote/hw/cirrus_vga.c
@@ -691,9 +691,14 @@ static void cirrus_invalidate_region(Cir
     int off_cur;
     int off_cur_end;
 
+    if (off_pitch < 0) {
+        off_begin -= bytesperline - 1;
+    }
+
     for (y = 0; y < lines; y++) {
 	off_cur = off_begin;
 	off_cur_end = (off_cur + bytesperline) & s->cirrus_addr_mask;
+	assert(off_cur_end >= off_cur);
 	off_cur &= TARGET_PAGE_MASK;
 	while (off_cur < off_cur_end) {
 	    cpu_physical_memory_set_dirty(s->vram_offset + off_cur);