[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] hw/display/ati_2d: Fix buffer overflow in ati_2d_blt (CVE-20
From: |
Philippe Mathieu-Daudé |
Subject: |
Re: [PATCH] hw/display/ati_2d: Fix buffer overflow in ati_2d_blt (CVE-2021-3638) |
Date: |
Tue, 7 Sep 2021 08:19:33 +0200 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 |
On 9/6/21 5:31 PM, Philippe Mathieu-Daudé wrote:
> When building QEMU with DEBUG_ATI defined then running with
> '-device ati-vga,romfile="" -d unimp,guest_errors -trace ati\*'
> we get:
>
> ati_mm_write 4 0x16c0 DP_CNTL <- 0x1
> ati_mm_write 4 0x146c DP_GUI_MASTER_CNTL <- 0x2
> ati_mm_write 4 0x16c8 DP_MIX <- 0xff0000
> ati_mm_write 4 0x16c4 DP_DATATYPE <- 0x2
> ati_mm_write 4 0x224 CRTC_OFFSET <- 0x0
> ati_mm_write 4 0x142c DST_PITCH_OFFSET <- 0xfe00000
> ati_mm_write 4 0x1420 DST_Y <- 0x3fff
> ati_mm_write 4 0x1410 DST_HEIGHT <- 0x3fff
> ati_mm_write 4 0x1588 DST_WIDTH_X <- 0x3fff3fff
> ati_2d_blt: vram:0x7fff5fa00000 addr:0 ds:0x7fff61273800 stride:2560 bpp:32
> rop:0xff
> ati_2d_blt: 0 0 0, 0 127 0, (0,0) -> (16383,16383) 16383x16383 > ^
> ati_2d_blt: pixman_fill(dst:0x7fff5fa00000, stride:254, bpp:8, x:16383,
> y:16383, w:16383, h:16383, xor:0xff000000)
> Thread 3 "qemu-system-i38" received signal SIGSEGV, Segmentation fault.
> (gdb) bt
> #0 0x00007ffff7f62ce0 in sse2_fill.lto_priv () at /lib64/libpixman-1.so.0
> #1 0x00007ffff7f09278 in pixman_fill () at /lib64/libpixman-1.so.0
> #2 0x0000555557b5a9af in ati_2d_blt (s=0x631000028800) at
> hw/display/ati_2d.c:196
> #3 0x0000555557b4b5a2 in ati_mm_write (opaque=0x631000028800, addr=5512,
> data=1073692671, size=4) at hw/display/ati.c:843
> #4 0x0000555558b90ec4 in memory_region_write_accessor (mr=0x631000039cc0,
> addr=5512, ..., size=4, ...) at softmmu/memory.c:492
>
> Commit 584acf34cb0 ("ati-vga: Fix reverse bit blts") introduced
> the local dst_x and dst_y which adjust the (x, y) coordinates
> depending on the direction in the SRCCOPY ROP3 operation, but
> forgot to address the same issue for the PATCOPY, BLACKNESS and
> WHITENESS operations, which also call pixman_fill().
>
> Fix that now by using the adjusted coordinates in the pixman_fill
> call, and update the related debug printf().
>
Forgot here:
Cc: qemu-stable@nongnu.org
> Reported-by: Qiang Liu <qiangliu@zju.edu.cn>
> Fixes: 584acf34cb0 ("ati-vga: Fix reverse bit blts")
> Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
> ---
> hw/display/ati_2d.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
- [PATCH] hw/display/ati_2d: Fix buffer overflow in ati_2d_blt (CVE-2021-3638), Philippe Mathieu-Daudé, 2021/09/06
- Re: [PATCH] hw/display/ati_2d: Fix buffer overflow in ati_2d_blt (CVE-2021-3638), Mauro Matteo Cascella, 2021/09/06
- Re: [PATCH] hw/display/ati_2d: Fix buffer overflow in ati_2d_blt (CVE-2021-3638), Philippe Mathieu-Daudé, 2021/09/06
- Re: [PATCH] hw/display/ati_2d: Fix buffer overflow in ati_2d_blt (CVE-2021-3638), BALATON Zoltan, 2021/09/06
- Re: [PATCH] hw/display/ati_2d: Fix buffer overflow in ati_2d_blt (CVE-2021-3638), Philippe Mathieu-Daudé, 2021/09/07
- Re: [PATCH] hw/display/ati_2d: Fix buffer overflow in ati_2d_blt (CVE-2021-3638), Philippe Mathieu-Daudé, 2021/09/07
- Re: [PATCH] hw/display/ati_2d: Fix buffer overflow in ati_2d_blt (CVE-2021-3638), Mauro Matteo Cascella, 2021/09/09
- Re: [PATCH] hw/display/ati_2d: Fix buffer overflow in ati_2d_blt (CVE-2021-3638), Philippe Mathieu-Daudé, 2021/09/09
- Re: [PATCH] hw/display/ati_2d: Fix buffer overflow in ati_2d_blt (CVE-2021-3638), Alexander Bulekov, 2021/09/06
- Re: [PATCH] hw/display/ati_2d: Fix buffer overflow in ati_2d_blt (CVE-2021-3638), Philippe Mathieu-Daudé, 2021/09/07
Re: [PATCH] hw/display/ati_2d: Fix buffer overflow in ati_2d_blt (CVE-2021-3638),
Philippe Mathieu-Daudé <=