45 lines
1.5 KiB
Diff
45 lines
1.5 KiB
Diff
From b891912de9c0ef615955fccc043915eb36ce3c02 Mon Sep 17 00:00:00 2001
|
|
From: Prasad J Pandit <pjp@fedoraproject.org>
|
|
Date: Wed, 14 Dec 2016 12:31:56 +0530
|
|
Subject: [PATCH 2/8] display: virtio-gpu-3d: check virgl capabilities max_size
|
|
|
|
Virtio GPU device while processing 'VIRTIO_GPU_CMD_GET_CAPSET'
|
|
command, retrieves the maximum capabilities size to fill in the
|
|
response object. It continues to fill in capabilities even if
|
|
retrieved 'max_size' is zero(0), thus resulting in OOB access.
|
|
Add check to avoid it.
|
|
|
|
Reported-by: Zhenhao Hong <zhenhaohong@gmail.com>
|
|
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
|
Message-id: 20161214070156.23368-1-ppandit@redhat.com
|
|
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
---
|
|
|
|
Notes:
|
|
CVE-2016-10028
|
|
|
|
hw/display/virtio-gpu-3d.c | 6 +++++-
|
|
1 file changed, 5 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
|
|
index d98b140..cdd03a4 100644
|
|
--- a/hw/display/virtio-gpu-3d.c
|
|
+++ b/hw/display/virtio-gpu-3d.c
|
|
@@ -371,8 +371,12 @@ static void virgl_cmd_get_capset(VirtIOGPU *g,
|
|
|
|
virgl_renderer_get_cap_set(gc.capset_id, &max_ver,
|
|
&max_size);
|
|
- resp = g_malloc0(sizeof(*resp) + max_size);
|
|
+ if (!max_size) {
|
|
+ cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
|
|
+ return;
|
|
+ }
|
|
|
|
+ resp = g_malloc0(sizeof(*resp) + max_size);
|
|
resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
|
|
virgl_renderer_fill_caps(gc.capset_id,
|
|
gc.capset_version,
|
|
--
|
|
2.1.4
|
|
|