qemu-e2k/hw/display
Gerd Hoffmann c1b886c45d vbe: rework sanity checks
Plug a bunch of holes in the bochs dispi interface parameter checking.
Add a function doing verification on all registers.  Call that
unconditionally on every register write.  That way we should catch
everything, even changing one register affecting the valid range of
another register.

Some of the holes have been added by commit
e9c6149f6a.  Before that commit the
maximum possible framebuffer (VBE_DISPI_MAX_XRES * VBE_DISPI_MAX_YRES *
32 bpp) has been smaller than the qemu vga memory (8MB) and the checking
for VBE_DISPI_MAX_XRES + VBE_DISPI_MAX_YRES + VBE_DISPI_MAX_BPP was ok.

Some of the holes have been there forever, such as
VBE_DISPI_INDEX_X_OFFSET and VBE_DISPI_INDEX_Y_OFFSET register writes
lacking any verification.

Security impact:

(1) Guest can make the ui (gtk/vnc/...) use memory rages outside the vga
frame buffer as source  ->  host memory leak.  Memory isn't leaked to
the guest but to the vnc client though.

(2) Qemu will segfault in case the memory range happens to include
unmapped areas  ->  Guest can DoS itself.

The guest can not modify host memory, so I don't think this can be used
by the guest to escape.

CVE-2014-3615

Cc: qemu-stable@nongnu.org
Cc: secalert@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
2014-09-04 08:23:14 +02:00
..
ads7846.c savevm: Remove all the unneeded version_minimum_id_old (arm) 2014-05-13 16:09:35 +01:00
blizzard_template.h display: avoid multi-statement macro 2014-01-31 14:47:33 +00:00
blizzard.c console: add head to index to qemu consoles. 2014-03-05 09:52:04 +01:00
cg3.c cg3: add extra check to prevent CG3 register array overflow 2014-06-05 20:51:30 +01:00
cirrus_vga_rop2.h hw: move private headers to hw/ subdirectories. 2013-04-08 18:13:16 +02:00
cirrus_vga_rop.h cirrus: Fix host CPU blits 2014-07-11 10:17:02 +02:00
cirrus_vga_template.h hw: move private headers to hw/ subdirectories. 2013-04-08 18:13:16 +02:00
cirrus_vga.c cirrus: Fix build of debug code 2014-07-11 10:17:01 +02:00
exynos4210_fimd.c savevm: Remove all the unneeded version_minimum_id_old (arm) 2014-05-13 16:09:35 +01:00
framebuffer.c memory: add ref/unref calls 2013-07-04 17:42:45 +02:00
framebuffer.h hw: move private headers to hw/ subdirectories. 2013-04-08 18:13:16 +02:00
g364fb.c savevm: Remove all the unneeded version_minimum_id_old (rest) 2014-05-14 15:24:51 +02:00
jazz_led.c jazz_led: Add missing break in switch case 2014-05-24 00:07:56 +04:00
Makefile.objs sun4m: Add Sun CG3 framebuffer and corresponding OpenBIOS FCode ROM 2014-02-27 10:01:41 +00:00
milkymist-tmu2.c savevm: Remove all the unneeded version_minimum_id_old (rest) 2014-05-14 15:24:51 +02:00
milkymist-vgafb_template.h milkymist-vgafb: swap pixel data in source buffer 2014-02-04 19:34:30 +01:00
milkymist-vgafb.c savevm: Remove all the unneeded version_minimum_id_old (rest) 2014-05-14 15:24:51 +02:00
omap_dss.c memory: add owner argument to initialization functions 2013-07-04 17:42:44 +02:00
omap_lcd_template.h hw: use ld_p/st_p instead of ld_raw/st_raw 2014-06-05 16:04:17 +02:00
omap_lcdc.c console: add head to index to qemu consoles. 2014-03-05 09:52:04 +01:00
pl110_template.h display: avoid multi-statement macro 2014-01-31 14:47:33 +00:00
pl110.c console: add head to index to qemu consoles. 2014-03-05 09:52:04 +01:00
pxa2xx_lcd.c hw/display/pxa2xx_lcd: Fix 16bpp+alpha and 18bpp+alpha palette formats 2014-05-27 17:09:49 +01:00
pxa2xx_template.h display: avoid multi-statement macro 2014-01-31 14:47:33 +00:00
qxl-logger.c aio / timers: Switch entire codebase to the new timer API 2013-08-22 19:14:24 +02:00
qxl-render.c qxl-render: add more sanity checks 2014-09-01 10:19:03 +02:00
qxl.c vbe: make bochs dispi interface return the correct memory size with qxl 2014-09-04 08:22:48 +02:00
qxl.h PortioList: Store PortioList in device state 2014-05-05 20:58:33 +02:00
sm501_template.h hw: use ld_p/st_p instead of ld_raw/st_raw 2014-06-05 16:04:17 +02:00
sm501.c console: add head to index to qemu consoles. 2014-03-05 09:52:04 +01:00
ssd0303.c savevm: Remove all the unneeded version_minimum_id_old (arm) 2014-05-13 16:09:35 +01:00
ssd0323.c ssd0323: fix buffer overun on invalid state load 2014-05-05 22:15:02 +02:00
tc6393xb_template.h display: avoid multi-statement macro 2014-01-31 14:47:33 +00:00
tc6393xb.c console: add head to index to qemu consoles. 2014-03-05 09:52:04 +01:00
tcx.c tcx: move initialisation from realizefn to initfn 2014-06-05 20:51:57 +01:00
vga_int.h vbe: make bochs dispi interface return the correct memory size with qxl 2014-09-04 08:22:48 +02:00
vga_template.h hw: use ld_p/st_p instead of ld_raw/st_raw 2014-06-05 16:04:17 +02:00
vga-isa-mm.c vga: allow non-global vmstate 2014-04-28 10:21:55 +02:00
vga-isa.c vga: allow non-global vmstate 2014-04-28 10:21:55 +02:00
vga-pci.c savevm: Remove all the unneeded version_minimum_id_old (x86) 2014-06-16 04:55:26 +02:00
vga.c vbe: rework sanity checks 2014-09-04 08:23:14 +02:00
vga.h hw: move private headers to hw/ subdirectories. 2013-04-08 18:13:16 +02:00
vmware_vga.c savevm: Remove all the unneeded version_minimum_id_old (x86) 2014-06-16 04:55:26 +02:00
xenfb.c xen: build on ARM 2014-07-07 10:37:40 +00:00