On 1/22/19 10:49 AM, Daniel P. Berrangé wrote: > The QXL_IO_LOG command allows the guest to send log messages to the host > via a buffer in the QXLRam struct. QEMU prints these to the console if > the qxl 'guestdebug' option is set to non-zero. It will also feed them > to the trace subsystem if any backends are built-in. > > In both cases the log_buf data will get treated as being as a nul > terminated string, by the printf '%s' format specifier and / or other > code reading the buffer. > > QEMU does nothing to guarantee that the log_buf really is nul terminated, > so there is potential for out of bounds array access. > > This would affect any QEMU which has the log, syslog or ftrace trace > backends built into QEMU. It can only be triggered if the 'qxl_io_log' > trace event is enabled, however, so they are not vulnerable without > specific administrative action to enable this. > > It would also affect QEMU if the 'guestdebug' parameter is set to a > non-zero value, which again is not the default and requires explicit > admin opt-in. > > Signed-off-by: Daniel P. Berrangé <berra...@redhat.com> > --- > hw/display/qxl.c | 14 ++++++++++---- > hw/display/trace-events | 2 +- > 2 files changed, 11 insertions(+), 5 deletions(-)
Reviewed-by: Eric Blake <ebl...@redhat.com> -- Eric Blake, Principal Software Engineer Red Hat, Inc. +1-919-301-3226 Virtualization: qemu.org | libvirt.org
signature.asc
Description: OpenPGP digital signature
