riscv-gnu-toolchain/qemu.git - Unnamed repository; edit this file 'description' to name the repository.

diff options

author	Philippe Mathieu-Daudé <philmd@linaro.org>	2022-11-28 21:27:40 +0100
committer	Stefan Hajnoczi <stefanha@redhat.com>	2022-11-29 18:15:26 -0500
commit	6dbbf055148c6f1b7d8a3251a65bd6f3d1e1f622 (patch)
tree	6f549781b5b384c4a27fb72b49ee9320841d711e /qapi/run-state.json
parent	8efec0ef8bbc1e75a7ebf6e325a35806ece9b39f (diff)
download	qemu-6dbbf055148c6f1b7d8a3251a65bd6f3d1e1f622.zip qemu-6dbbf055148c6f1b7d8a3251a65bd6f3d1e1f622.tar.gz qemu-6dbbf055148c6f1b7d8a3251a65bd6f3d1e1f622.tar.bz2

hw/display/qxl: Avoid buffer overrun in qxl_phys2virt (CVE-2022-4144)

Have qxl_get_check_slot_offset() return false if the requested buffer size does not fit within the slot memory region. Similarly qxl_phys2virt() now returns NULL in such case, and qxl_dirty_one_surface() aborts. This avoids buffer overrun in the host pointer returned by memory_region_get_ram_ptr(). Fixes: CVE-2022-4144 (out-of-bounds read) Reported-by: Wenxu Yin (@awxylitol) Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1336 Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Message-Id: <20221128202741.4945-5-philmd@linaro.org>

Diffstat (limited to 'qapi/run-state.json')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: