[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [RFC PATCH-for-7.2 v3 0/5] hw/display/qxl: Avoid buffer overrun in q
|
From: |
Stefan Hajnoczi |
|
Subject: |
Re: [RFC PATCH-for-7.2 v3 0/5] hw/display/qxl: Avoid buffer overrun in qxl_phys2virt() |
|
Date: |
Wed, 30 Nov 2022 14:45:48 -0500 |
On Mon, 28 Nov 2022 at 15:30, Philippe Mathieu-Daudé <philmd@linaro.org> wrote:
>
> Since v2:
> - Do not abort checking guest-provided addresses (Stefan)
> - Handle chunked QEMUCursor (Gerd)
>
> Since v1:
> - Moved overrun check in qxl_get_check_slot_offset (Marc-André)
>
> memory_region_get_ram_ptr() returns a host pointer for a
> MemoryRegion. Sometimes we do offset calculation using this
> pointer without checking the underlying MemoryRegion size.
>
> Wenxu Yin reported a buffer overrun in QXL. This series
> aims to fix it. I haven't audited the other _get_ram_ptr()
> uses (yet). Eventually we could rename it _get_ram_ptr_unsafe
> and add a safer helper which checks for overrun.
>
> Worth considering for 7.2?
Merged, thanks!
Stefan
- [RFC PATCH-for-7.2 v3 0/5] hw/display/qxl: Avoid buffer overrun in qxl_phys2virt(), Philippe Mathieu-Daudé, 2022/11/28
- [PATCH-for-7.2 v3 1/5] hw/display/qxl: Have qxl_log_command Return early if no log_cmd handler, Philippe Mathieu-Daudé, 2022/11/28
- [PATCH-for-7.2 v3 2/5] hw/display/qxl: Document qxl_phys2virt(), Philippe Mathieu-Daudé, 2022/11/28
- [RFC PATCH-for-7.2 v3 3/5] hw/display/qxl: Pass requested buffer size to qxl_phys2virt(), Philippe Mathieu-Daudé, 2022/11/28
- [PATCH-for-8.0 v3 5/5] hw/display/qxl: Assert memory slot fits in preallocated MemoryRegion, Philippe Mathieu-Daudé, 2022/11/28
- [RFC PATCH-for-7.2 v3 4/5] hw/display/qxl: Avoid buffer overrun in qxl_phys2virt (CVE-2022-4144), Philippe Mathieu-Daudé, 2022/11/28
- Re: [RFC PATCH-for-7.2 v3 0/5] hw/display/qxl: Avoid buffer overrun in qxl_phys2virt(),
Stefan Hajnoczi <=