]>
Commit | Line | Data |
---|---|---|
7fd7e00b WB |
1 | From b891912de9c0ef615955fccc043915eb36ce3c02 Mon Sep 17 00:00:00 2001 |
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | |
3 | Date: Wed, 14 Dec 2016 12:31:56 +0530 | |
4 | Subject: [PATCH 2/8] display: virtio-gpu-3d: check virgl capabilities max_size | |
5 | ||
6 | Virtio GPU device while processing 'VIRTIO_GPU_CMD_GET_CAPSET' | |
7 | command, retrieves the maximum capabilities size to fill in the | |
8 | response object. It continues to fill in capabilities even if | |
9 | retrieved 'max_size' is zero(0), thus resulting in OOB access. | |
10 | Add check to avoid it. | |
11 | ||
12 | Reported-by: Zhenhao Hong <zhenhaohong@gmail.com> | |
13 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | |
14 | Message-id: 20161214070156.23368-1-ppandit@redhat.com | |
15 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | |
16 | --- | |
17 | ||
18 | Notes: | |
19 | CVE-2016-10028 | |
20 | ||
21 | hw/display/virtio-gpu-3d.c | 6 +++++- | |
22 | 1 file changed, 5 insertions(+), 1 deletion(-) | |
23 | ||
24 | diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c | |
25 | index d98b140..cdd03a4 100644 | |
26 | --- a/hw/display/virtio-gpu-3d.c | |
27 | +++ b/hw/display/virtio-gpu-3d.c | |
28 | @@ -371,8 +371,12 @@ static void virgl_cmd_get_capset(VirtIOGPU *g, | |
29 | ||
30 | virgl_renderer_get_cap_set(gc.capset_id, &max_ver, | |
31 | &max_size); | |
32 | - resp = g_malloc0(sizeof(*resp) + max_size); | |
33 | + if (!max_size) { | |
34 | + cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER; | |
35 | + return; | |
36 | + } | |
37 | ||
38 | + resp = g_malloc0(sizeof(*resp) + max_size); | |
39 | resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET; | |
40 | virgl_renderer_fill_caps(gc.capset_id, | |
41 | gc.capset_version, | |
42 | -- | |
43 | 2.1.4 | |
44 |