[pve-qemu-kvm.git] / debian / patches / extra / CVE-2016-9921-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch

From 9ec3cbedab41f93d2fbf742f2ca6705c2d68c3e1 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Tue, 18 Oct 2016 13:15:17 +0530
Subject: [PATCH 12/12] display: cirrus: check vga bits per pixel(bpp) value

In Cirrus CLGD 54xx VGA Emulator, if cirrus graphics mode is VGA,
'cirrus_get_bpp' returns zero(0), which could lead to a divide
by zero error in while copying pixel data. The same could occur
via blit pitch values. Add check to avoid it.

Reported-by: Huawei PSIRT <psirt@huawei.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-id: 1476776717-24807-1-git-send-email-ppandit@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---

Notes:
    CVE-2016-9921
    CVE-2016-9922

 hw/display/cirrus_vga.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
index 3d712d5..bdb092e 100644
--- a/hw/display/cirrus_vga.c
+++ b/hw/display/cirrus_vga.c
@@ -272,6 +272,9 @@ static void cirrus_update_memory_access(CirrusVGAState *s);
 static bool blit_region_is_unsafe(struct CirrusVGAState *s,
                                   int32_t pitch, int32_t addr)
 {
+    if (!pitch) {
+        return true;
+    }
     if (pitch < 0) {
         int64_t min = addr
             + ((int64_t)s->cirrus_blt_height-1) * pitch;
@@ -715,7 +718,7 @@ static int cirrus_bitblt_videotovideo_patterncopy(CirrusVGAState * s)
                                             s->cirrus_addr_mask));
 }
 
-static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
+static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
 {
     int sx = 0, sy = 0;
     int dx = 0, dy = 0;
@@ -729,6 +732,9 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
         int width, height;
 
         depth = s->vga.get_bpp(&s->vga) / 8;
+        if (!depth) {
+            return 0;
+        }
         s->vga.get_resolution(&s->vga, &width, &height);
 
         /* extra x, y */
@@ -783,6 +789,8 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
     cirrus_invalidate_region(s, s->cirrus_blt_dstaddr,
 				s->cirrus_blt_dstpitch, s->cirrus_blt_width,
 				s->cirrus_blt_height);
+
+    return 1;
 }
 
 static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
@@ -790,11 +798,9 @@ static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
     if (blit_is_unsafe(s))
         return 0;
 
-    cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr,
+    return cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr,
             s->cirrus_blt_srcaddr - s->vga.start_addr,
             s->cirrus_blt_width, s->cirrus_blt_height);
-
-    return 1;
 }
 
 /***************************************
-- 
2.1.4
Commit	Line	Data
f262231e WB	1	From 9ec3cbedab41f93d2fbf742f2ca6705c2d68c3e1 Mon Sep 17 00:00:00 2001
	2	From: Prasad J Pandit <pjp@fedoraproject.org>
	3	Date: Tue, 18 Oct 2016 13:15:17 +0530
	4	Subject: [PATCH 12/12] display: cirrus: check vga bits per pixel(bpp) value
	5
	6	In Cirrus CLGD 54xx VGA Emulator, if cirrus graphics mode is VGA,
	7	'cirrus_get_bpp' returns zero(0), which could lead to a divide
	8	by zero error in while copying pixel data. The same could occur
	9	via blit pitch values. Add check to avoid it.
	10
	11	Reported-by: Huawei PSIRT <psirt@huawei.com>
	12	Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
	13	Message-id: 1476776717-24807-1-git-send-email-ppandit@redhat.com
	14	Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
	15	---
	16
	17	Notes:
	18	CVE-2016-9921
	19	CVE-2016-9922
	20
	21	hw/display/cirrus_vga.c \| 14 ++++++++++----
	22	1 file changed, 10 insertions(+), 4 deletions(-)
	23
	24	diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
	25	index 3d712d5..bdb092e 100644
	26	--- a/hw/display/cirrus_vga.c
	27	+++ b/hw/display/cirrus_vga.c
	28	@@ -272,6 +272,9 @@ static void cirrus_update_memory_access(CirrusVGAState *s);
	29	static bool blit_region_is_unsafe(struct CirrusVGAState *s,
	30	int32_t pitch, int32_t addr)
	31	{
	32	+ if (!pitch) {
	33	+ return true;
	34	+ }
	35	if (pitch < 0) {
	36	int64_t min = addr
	37	+ ((int64_t)s->cirrus_blt_height-1) * pitch;
	38	@@ -715,7 +718,7 @@ static int cirrus_bitblt_videotovideo_patterncopy(CirrusVGAState * s)
	39	s->cirrus_addr_mask));
	40	}
	41
	42	-static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
	43	+static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
	44	{
	45	int sx = 0, sy = 0;
	46	int dx = 0, dy = 0;
	47	@@ -729,6 +732,9 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
	48	int width, height;
	49
	50	depth = s->vga.get_bpp(&s->vga) / 8;
	51	+ if (!depth) {
	52	+ return 0;
	53	+ }
	54	s->vga.get_resolution(&s->vga, &width, &height);
	55
	56	/* extra x, y */
	57	@@ -783,6 +789,8 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
	58	cirrus_invalidate_region(s, s->cirrus_blt_dstaddr,
	59	s->cirrus_blt_dstpitch, s->cirrus_blt_width,
	60	s->cirrus_blt_height);
	61	+
	62	+ return 1;
	63	}
	64
65	static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
66	@@ -790,11 +798,9 @@ static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
67	if (blit_is_unsafe(s))
68	return 0;
69
70	- cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr,
71	+ return cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr,
72	s->cirrus_blt_srcaddr - s->vga.start_addr,
73	s->cirrus_blt_width, s->cirrus_blt_height);
74	-
75	- return 1;
76	}
77
78	/***************************************
79	--
80	2.1.4
81