| commit | 92f2b88cea48c6aeba8de568a45f2ed958f3c298 | |
| author | Gerd Hoffmann <kraxel@redhat.com> | |
| Wed, 8 Feb 2017 10:18:36 +0000 (8 11:18 +0100) | ||
| committer | Gerd Hoffmann <kraxel@redhat.com> | |
| Fri, 24 Feb 2017 13:35:50 +0000 (24 14:35 +0100) | ||
| tree | 6ed759495bfcf73c74481e0d8cc01c7d33cc8d21 | treesnapshot (tar.gz zip) |
| parent | 10f25e4844cb9b3f02fb032f88051dd5b65b4206 | commitdiff |
cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo (CVE-2017-2620)
CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination
and blit width, at all. Oops. Fix it.
Security impact: high.
The missing blit destination check allows to write to host memory.
Basically same as CVE-2014-8106 for the other blit variants.
Cc: qemu-stable@nongnu.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination
and blit width, at all. Oops. Fix it.
Security impact: high.
The missing blit destination check allows to write to host memory.
Basically same as CVE-2014-8106 for the other blit variants.
Cc: qemu-stable@nongnu.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
| hw/display/cirrus_vga.c | diffblobblamehistory |