qemu-commits
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-commits] [qemu/qemu] eb8934: vnc: fix memory corruption (CVE-2015-

From: GitHub
Subject: [Qemu-commits] [qemu/qemu] eb8934: vnc: fix memory corruption (CVE-2015-5225)
Date: Wed, 26 Aug 2015 11:00:07 -0700 
  Branch: refs/heads/master
  Home:   https://github.com/qemu/qemu
  Commit: eb8934b0418b3b1d125edddc4fc334a54334a49b
      
https://github.com/qemu/qemu/commit/eb8934b0418b3b1d125edddc4fc334a54334a49b
  Author: Gerd Hoffmann <address@hidden>
  Date:   2015-08-26 (Wed, 26 Aug 2015)

  Changed paths:
    M ui/vnc.c

  Log Message:
  -----------
  vnc: fix memory corruption (CVE-2015-5225)

The _cmp_bytes variable added by commit "bea60dd ui/vnc: fix potential
memory corruption issues" can become negative.  Result is (possibly
exploitable) memory corruption.  Reason for that is it uses the stride
instead of bytes per scanline to apply limits.

For the server surface is is actually fine.  vnc creates that itself,
there is never any padding and thus scanline length always equals stride.

For the guest surface scanline length and stride are typically identical
too, but it doesn't has to be that way.  So add and use a new variable
(guest_ll) for the guest scanline length.  Also rename min_stride to
line_bytes to make more clear what it actually is.  Finally sprinkle
in an assert() to make sure we never use a negative _cmp_bytes again.

Reported-by: 范祚至(库特) <address@hidden>
Reviewed-by: P J P <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>


  Commit: 47c9dfee808f9455d732aea7c4390ad0972bbd84
      
https://github.com/qemu/qemu/commit/47c9dfee808f9455d732aea7c4390ad0972bbd84
  Author: Peter Maydell <address@hidden>
  Date:   2015-08-26 (Wed, 26 Aug 2015)

  Changed paths:
    M ui/vnc.c

  Log Message:
  -----------
  Merge remote-tracking branch 
'remotes/kraxel/tags/pull-cve-2015-5225-20150826-1' into staging

vnc: fix memory corruption (CVE-2015-5225)

# gpg: Signature made Wed 26 Aug 2015 17:37:21 BST using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <address@hidden>"
# gpg:                 aka "Gerd Hoffmann <address@hidden>"
# gpg:                 aka "Gerd Hoffmann (private) <address@hidden>"

* remotes/kraxel/tags/pull-cve-2015-5225-20150826-1:
  vnc: fix memory corruption (CVE-2015-5225)

Signed-off-by: Peter Maydell <address@hidden>


Compare: https://github.com/qemu/qemu/compare/7df9671989c1...47c9dfee808f
reply via email to
[Prev in Thread] Current Thread [Next in Thread]