]> git.ipfire.org Git - thirdparty/qemu.git/commit
projects / thirdparty / qemu.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 5e46417) | patch
cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo (CVE-2017-2620)
authorGerd Hoffmann <kraxel@redhat.com>
Wed, 8 Feb 2017 10:18:36 +0000 (11:18 +0100)
committerMichael Roth <mdroth@linux.vnet.ibm.com>
Thu, 16 Mar 2017 17:10:41 +0000 (12:10 -0500)
commitfc8e94c3e5e74437c4e73a5582f17cfd4cae5ccf
tree39ca15b473db331d47489e2c37da8702fa4f9c9atree | snapshot
parent5e4641777c3cb06206127419ce7617aeff2327f4commit | diff
cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo (CVE-2017-2620)

CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination
and blit width, at all.  Oops.  Fix it.

Security impact: high.

The missing blit destination check allows to write to host memory.
Basically same as CVE-2014-8106 for the other blit variants.

Cc: qemu-stable@nongnu.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 92f2b88cea48c6aeba8de568a45f2ed958f3c298)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
hw/display/cirrus_vga.c diff | blob | blame | history
Mirror of https://git.qemu.org/git/qemu.git