ati_2d: Fix buffer overflow in ati_2d_blt (CVE-2021-3638)

Qiang Liu Tue, 30 Aug 2022 03:34:33 -0700

Hi all,

I found this patch is still not merged. Should we merge this and close
this issue?


Best,
Qiang

On Tue, Sep 7, 2021 at 2:20 PM Philippe Mathieu-Daudé <phi...@redhat.com> wrote:
>
> On 9/6/21 5:31 PM, Philippe Mathieu-Daudé wrote:
> > When building QEMU with DEBUG_ATI defined then running with
> > '-device ati-vga,romfile="" -d unimp,guest_errors -trace ati\*'
> > we get:
> >
> >   ati_mm_write 4 0x16c0 DP_CNTL <- 0x1
> >   ati_mm_write 4 0x146c DP_GUI_MASTER_CNTL <- 0x2
> >   ati_mm_write 4 0x16c8 DP_MIX <- 0xff0000
> >   ati_mm_write 4 0x16c4 DP_DATATYPE <- 0x2
> >   ati_mm_write 4 0x224 CRTC_OFFSET <- 0x0
> >   ati_mm_write 4 0x142c DST_PITCH_OFFSET <- 0xfe00000
> >   ati_mm_write 4 0x1420 DST_Y <- 0x3fff
> >   ati_mm_write 4 0x1410 DST_HEIGHT <- 0x3fff
> >   ati_mm_write 4 0x1588 DST_WIDTH_X <- 0x3fff3fff
> >   ati_2d_blt: vram:0x7fff5fa00000 addr:0 ds:0x7fff61273800 stride:2560 
> > bpp:32 rop:0xff
> >   ati_2d_blt: 0 0 0, 0 127 0, (0,0) -> (16383,16383) 16383x16383 > ^
> >   ati_2d_blt: pixman_fill(dst:0x7fff5fa00000, stride:254, bpp:8, x:16383, 
> > y:16383, w:16383, h:16383, xor:0xff000000)
> >   Thread 3 "qemu-system-i38" received signal SIGSEGV, Segmentation fault.
> >   (gdb) bt
> >   #0  0x00007ffff7f62ce0 in sse2_fill.lto_priv () at /lib64/libpixman-1.so.0
> >   #1  0x00007ffff7f09278 in pixman_fill () at /lib64/libpixman-1.so.0
> >   #2  0x0000555557b5a9af in ati_2d_blt (s=0x631000028800) at 
> > hw/display/ati_2d.c:196
> >   #3  0x0000555557b4b5a2 in ati_mm_write (opaque=0x631000028800, addr=5512, 
> > data=1073692671, size=4) at hw/display/ati.c:843
> >   #4  0x0000555558b90ec4 in memory_region_write_accessor 
> > (mr=0x631000039cc0, addr=5512, ..., size=4, ...) at softmmu/memory.c:492
> >
> > Commit 584acf34cb0 ("ati-vga: Fix reverse bit blts") introduced
> > the local dst_x and dst_y which adjust the (x, y) coordinates
> > depending on the direction in the SRCCOPY ROP3 operation, but
> > forgot to address the same issue for the PATCOPY, BLACKNESS and
> > WHITENESS operations, which also call pixman_fill().
> >
> > Fix that now by using the adjusted coordinates in the pixman_fill
> > call, and update the related debug printf().
> >
>
> Forgot here:
>
> Cc: qemu-sta...@nongnu.org
>
> > Reported-by: Qiang Liu <qiang...@zju.edu.cn>
> > Fixes: 584acf34cb0 ("ati-vga: Fix reverse bit blts")
> > Signed-off-by: Philippe Mathieu-Daudé <phi...@redhat.com>
> > ---
> >  hw/display/ati_2d.c | 6 +++---
> >  1 file changed, 3 insertions(+), 3 deletions(-)
>

Re: [PATCH] hw/display/ati_2d: Fix buffer overflow in ati_2d_blt (CVE-2021-3638)

Reply via email to