debian/patches/extra/CVE-2016-10028-display-virtio-gpu-3d-check-virgl-capabilities-max_s.patch

   1 From b891912de9c0ef615955fccc043915eb36ce3c02 Mon Sep 17 00:00:00 2001
   2 From: Prasad J Pandit <pjp@fedoraproject.org>
   3 Date: Wed, 14 Dec 2016 12:31:56 +0530
   4 Subject: [PATCH 2/8] display: virtio-gpu-3d: check virgl capabilities max_size
   5
   6 Virtio GPU device while processing 'VIRTIO_GPU_CMD_GET_CAPSET'
   7 command, retrieves the maximum capabilities size to fill in the
   8 response object. It continues to fill in capabilities even if
   9 retrieved 'max_size' is zero(0), thus resulting in OOB access.
  10 Add check to avoid it.
  11
  12 Reported-by: Zhenhao Hong <zhenhaohong@gmail.com>
  13 Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
  14 Message-id: 20161214070156.23368-1-ppandit@redhat.com
  15 Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
  16 ---
  17
  18 Notes:
  19     CVE-2016-10028
  20
  21  hw/display/virtio-gpu-3d.c | 6 +++++-
  22  1 file changed, 5 insertions(+), 1 deletion(-)
  23
  24 diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
  25 index d98b140..cdd03a4 100644
  26 --- a/hw/display/virtio-gpu-3d.c
  27 +++ b/hw/display/virtio-gpu-3d.c
  28 @@ -371,8 +371,12 @@ static void virgl_cmd_get_capset(VirtIOGPU *g,
  29
  30      virgl_renderer_get_cap_set(gc.capset_id, &max_ver,
  31                                 &max_size);
  32 -    resp = g_malloc0(sizeof(*resp) + max_size);
  33 +    if (!max_size) {
  34 +        cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
  35 +        return;
  36 +    }
  37
  38 +    resp = g_malloc0(sizeof(*resp) + max_size);
  39      resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
  40      virgl_renderer_fill_caps(gc.capset_id,
  41                               gc.capset_version,
  42 --
  43 2.1.4
  44