[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] ati-vga: Fix checks in ati_2d_blt() to avoid crash

From: BALATON Zoltan
Subject: Re: [PATCH] ati-vga: Fix checks in ati_2d_blt() to avoid crash
Date: Sat, 22 Aug 2020 23:15:01 +0200 (CEST)
User-agent: Alpine 2.22 (BSF 395 2020-01-19)

On Sat, 22 Aug 2020, Philippe Mathieu-Daudé wrote:
On 4/6/20 10:34 PM, BALATON Zoltan wrote:
In some corner cases (that never happen during normal operation but a
malicious guest could program wrong values) pixman functions were
called with parameters that result in a crash. Fix this and add more
checks to disallow such cases.

(Fair) question on IRC. Is this patch fixing CVE-2020-24352?

Public on August 14, 2020


An out-of-bounds memory access flaw was found in the ATI VGA device
implementation of the QEMU emulator. This flaw occurs in the
ati_2d_blt() routine while handling MMIO write operations through the
ati_mm_write() callback. A malicious guest could use this flaw to crash
the QEMU process on the host, resulting in a denial of service.

Probably this patch does not fix all possible malicious register writes a guest could do. This was fixing problems reported earlier but then I got some more reports around 5.1.0 freeze about some more overruns which I could not yet look at and nobody else was fixing it either so it's possible some bugs are still left in the checks.

However this is hardly security critical as ati-vga is experimental and not fully implemented yet so anyone using it will likely get other problems (such as drivers not loading) before a guest could exploit this. I think QEMU only considers bugs in parts that are used for virtualisation via KVM as security problems so maybe this does not even need a CVE and could be normally reported/discussed on the mailing list.

Basically what needs to be done is go through the checks again to verify that we don't pass params to pixman or set_dirty that result in access outside the video ram area. Probably there's still an off by one error or some other mistake. I'll eventually may try to fix it but if anyone is sending a patch earlier that's welcome. I don't have much time for QEMU now.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]