[pve-qemu-kvm.git] / debian / patches / extra / CVE-2016-10028-display-virtio-gpu-3d-check-virgl-capabilities-max_s.patch

From b891912de9c0ef615955fccc043915eb36ce3c02 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Wed, 14 Dec 2016 12:31:56 +0530
Subject: [PATCH 2/8] display: virtio-gpu-3d: check virgl capabilities max_size

Virtio GPU device while processing 'VIRTIO_GPU_CMD_GET_CAPSET'
command, retrieves the maximum capabilities size to fill in the
response object. It continues to fill in capabilities even if
retrieved 'max_size' is zero(0), thus resulting in OOB access.
Add check to avoid it.

Reported-by: Zhenhao Hong <zhenhaohong@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-id: 20161214070156.23368-1-ppandit@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---

Notes:
    CVE-2016-10028

 hw/display/virtio-gpu-3d.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
index d98b140..cdd03a4 100644
--- a/hw/display/virtio-gpu-3d.c
+++ b/hw/display/virtio-gpu-3d.c
@@ -371,8 +371,12 @@ static void virgl_cmd_get_capset(VirtIOGPU *g,
 
     virgl_renderer_get_cap_set(gc.capset_id, &max_ver,
                                &max_size);
-    resp = g_malloc0(sizeof(*resp) + max_size);
+    if (!max_size) {
+        cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
+        return;
+    }
 
+    resp = g_malloc0(sizeof(*resp) + max_size);
     resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
     virgl_renderer_fill_caps(gc.capset_id,
                              gc.capset_version,
-- 
2.1.4
Commit	Line	Data
7fd7e00b WB	1	From b891912de9c0ef615955fccc043915eb36ce3c02 Mon Sep 17 00:00:00 2001
	2	From: Prasad J Pandit <pjp@fedoraproject.org>
	3	Date: Wed, 14 Dec 2016 12:31:56 +0530
	4	Subject: [PATCH 2/8] display: virtio-gpu-3d: check virgl capabilities max_size
	5
	6	Virtio GPU device while processing 'VIRTIO_GPU_CMD_GET_CAPSET'
	7	command, retrieves the maximum capabilities size to fill in the
	8	response object. It continues to fill in capabilities even if
	9	retrieved 'max_size' is zero(0), thus resulting in OOB access.
	10	Add check to avoid it.
	11
	12	Reported-by: Zhenhao Hong <zhenhaohong@gmail.com>
	13	Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
	14	Message-id: 20161214070156.23368-1-ppandit@redhat.com
	15	Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
	16	---
	17
	18	Notes:
	19	CVE-2016-10028
	20
	21	hw/display/virtio-gpu-3d.c \| 6 +++++-
	22	1 file changed, 5 insertions(+), 1 deletion(-)
	23
	24	diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
	25	index d98b140..cdd03a4 100644
	26	--- a/hw/display/virtio-gpu-3d.c
	27	+++ b/hw/display/virtio-gpu-3d.c
	28	@@ -371,8 +371,12 @@ static void virgl_cmd_get_capset(VirtIOGPU *g,
	29
	30	virgl_renderer_get_cap_set(gc.capset_id, &max_ver,
	31	&max_size);
	32	- resp = g_malloc0(sizeof(*resp) + max_size);
	33	+ if (!max_size) {
	34	+ cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
	35	+ return;
	36	+ }
	37
	38	+ resp = g_malloc0(sizeof(*resp) + max_size);
	39	resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
	40	virgl_renderer_fill_caps(gc.capset_id,
	41	gc.capset_version,
	42	--
	43	2.1.4
	44