[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-commits] [qemu/qemu] 9569f5: display/qxl-render: fix race conditio
|
From: |
Peter Maydell |
|
Subject: |
[Qemu-commits] [qemu/qemu] 9569f5: display/qxl-render: fix race condition in qxl_curs... |
|
Date: |
Fri, 08 Apr 2022 07:01:37 -0700 |
Branch: refs/heads/master
Home: https://github.com/qemu/qemu
Commit: 9569f5cb5b4bffa9d3ebc8ba7da1e03830a9a895
https://github.com/qemu/qemu/commit/9569f5cb5b4bffa9d3ebc8ba7da1e03830a9a895
Author: Mauro Matteo Cascella <mcascell@redhat.com>
Date: 2022-04-07 (Thu, 07 Apr 2022)
Changed paths:
M hw/display/qxl-render.c
Log Message:
-----------
display/qxl-render: fix race condition in qxl_cursor (CVE-2021-4207)
Avoid fetching 'width' and 'height' a second time to prevent possible
race condition. Refer to security advisory
https://starlabs.sg/advisories/22-4207/ for more information.
Fixes: CVE-2021-4207
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20220407081106.343235-1-mcascell@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Commit: fa892e9abb728e76afcf27323ab29c57fb0fe7aa
https://github.com/qemu/qemu/commit/fa892e9abb728e76afcf27323ab29c57fb0fe7aa
Author: Mauro Matteo Cascella <mcascell@redhat.com>
Date: 2022-04-07 (Thu, 07 Apr 2022)
Changed paths:
M hw/display/qxl-render.c
M hw/display/vmware_vga.c
M ui/cursor.c
Log Message:
-----------
ui/cursor: fix integer overflow in cursor_alloc (CVE-2021-4206)
Prevent potential integer overflow by limiting 'width' and 'height' to
512x512. Also change 'datasize' type to size_t. Refer to security
advisory https://starlabs.sg/advisories/22-4206/ for more information.
Fixes: CVE-2021-4206
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20220407081712.345609-1-mcascell@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Commit: dde8689d1fe82e295a278ba4bf1abd9be5c7bcab
https://github.com/qemu/qemu/commit/dde8689d1fe82e295a278ba4bf1abd9be5c7bcab
Author: Peter Maydell <peter.maydell@linaro.org>
Date: 2022-04-08 (Fri, 08 Apr 2022)
Changed paths:
M hw/display/qxl-render.c
M hw/display/vmware_vga.c
M ui/cursor.c
Log Message:
-----------
Merge tag 'fixes-20220408-pull-request' of git://git.kraxel.org/qemu into
staging
two cursor/qxl related security fixes.
# gpg: Signature made Fri 08 Apr 2022 05:37:16 BST
# gpg: using RSA key A0328CFFB93A17A79901FE7D4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" [full]
# gpg: aka "Gerd Hoffmann <gerd@kraxel.org>" [full]
# gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>" [full]
# Primary key fingerprint: A032 8CFF B93A 17A7 9901 FE7D 4CB6 D8EE D3E8 7138
* tag 'fixes-20220408-pull-request' of git://git.kraxel.org/qemu:
ui/cursor: fix integer overflow in cursor_alloc (CVE-2021-4206)
display/qxl-render: fix race condition in qxl_cursor (CVE-2021-4207)
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Compare: https://github.com/qemu/qemu/compare/95a3fcc7487e...dde8689d1fe8
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Qemu-commits] [qemu/qemu] 9569f5: display/qxl-render: fix race condition in qxl_curs...,
Peter Maydell <=