xemu/hw/display
Michael S. Tsirkin ead7a57df3 ssd0323: fix buffer overun on invalid state load
CVE-2013-4538

s->cmd_len used as index in ssd0323_transfer() to store 32-bit field.
Possible this field might then be supplied by guest to overwrite a
return addr somewhere. Same for row/col fields, which are indicies into
framebuffer array.

To fix validate after load.

Additionally, validate that the row/col_start/end are within bounds;
otherwise the guest can provoke an overrun by either setting the _end
field so large that the row++ increments just walk off the end of the
array, or by setting the _start value to something bogus and then
letting the "we hit end of row" logic reset row to row_start.

For completeness, validate mode as well.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Juan Quintela <quintela@redhat.com>
2014-05-05 22:15:02 +02:00
..
ads7846.c ssi: Convert legacy SSI_SLAVE -> DEVICE casts 2014-03-12 20:13:02 +01:00
blizzard_template.h display: avoid multi-statement macro 2014-01-31 14:47:33 +00:00
blizzard.c console: add head to index to qemu consoles. 2014-03-05 09:52:04 +01:00
cg3.c console: add head to index to qemu consoles. 2014-03-05 09:52:04 +01:00
cirrus_vga_rop2.h hw: move private headers to hw/ subdirectories. 2013-04-08 18:13:16 +02:00
cirrus_vga_rop.h hw: move private headers to hw/ subdirectories. 2013-04-08 18:13:16 +02:00
cirrus_vga_template.h hw: move private headers to hw/ subdirectories. 2013-04-08 18:13:16 +02:00
cirrus_vga.c vga: allow non-global vmstate 2014-04-28 10:21:55 +02:00
exynos4210_fimd.c console: add head to index to qemu consoles. 2014-03-05 09:52:04 +01:00
framebuffer.c memory: add ref/unref calls 2013-07-04 17:42:45 +02:00
framebuffer.h hw: move private headers to hw/ subdirectories. 2013-04-08 18:13:16 +02:00
g364fb.c console: add head to index to qemu consoles. 2014-03-05 09:52:04 +01:00
jazz_led.c console: add head to index to qemu consoles. 2014-03-05 09:52:04 +01:00
Makefile.objs sun4m: Add Sun CG3 framebuffer and corresponding OpenBIOS FCode ROM 2014-02-27 10:01:41 +00:00
milkymist-tmu2.c milkymist-tmu2: QOM cast cleanup 2013-07-29 21:06:02 +02:00
milkymist-vgafb_template.h milkymist-vgafb: swap pixel data in source buffer 2014-02-04 19:34:30 +01:00
milkymist-vgafb.c console: add head to index to qemu consoles. 2014-03-05 09:52:04 +01:00
omap_dss.c memory: add owner argument to initialization functions 2013-07-04 17:42:44 +02:00
omap_lcd_template.h hw: move private headers to hw/ subdirectories. 2013-04-08 18:13:16 +02:00
omap_lcdc.c console: add head to index to qemu consoles. 2014-03-05 09:52:04 +01:00
pl110_template.h display: avoid multi-statement macro 2014-01-31 14:47:33 +00:00
pl110.c console: add head to index to qemu consoles. 2014-03-05 09:52:04 +01:00
pxa2xx_lcd.c console: add head to index to qemu consoles. 2014-03-05 09:52:04 +01:00
pxa2xx_template.h display: avoid multi-statement macro 2014-01-31 14:47:33 +00:00
qxl-logger.c aio / timers: Switch entire codebase to the new timer API 2013-08-22 19:14:24 +02:00
qxl-render.c qxl: Add missing trace.h (fix broken build) 2013-12-07 22:26:07 +04:00
qxl.c vga: allow non-global vmstate 2014-04-28 10:21:55 +02:00
qxl.h qxl: replace pipe signaling with bottom half 2013-11-04 12:31:42 +01:00
sm501_template.h exec: Make ldq/ldub_*_phys input an AddressSpace 2014-02-11 22:57:00 +10:00
sm501.c console: add head to index to qemu consoles. 2014-03-05 09:52:04 +01:00
ssd0303.c console: add head to index to qemu consoles. 2014-03-05 09:52:04 +01:00
ssd0323.c ssd0323: fix buffer overun on invalid state load 2014-05-05 22:15:02 +02:00
tc6393xb_template.h display: avoid multi-statement macro 2014-01-31 14:47:33 +00:00
tc6393xb.c console: add head to index to qemu consoles. 2014-03-05 09:52:04 +01:00
tcx.c console: add head to index to qemu consoles. 2014-03-05 09:52:04 +01:00
vga_int.h vga: allow non-global vmstate 2014-04-28 10:21:55 +02:00
vga_template.h bswap.h: Remove cpu_to_32wu() 2013-11-05 19:57:47 -08:00
vga-isa-mm.c vga: allow non-global vmstate 2014-04-28 10:21:55 +02:00
vga-isa.c vga: allow non-global vmstate 2014-04-28 10:21:55 +02:00
vga-pci.c vga: add secondary stdvga variant 2014-04-28 11:03:32 +02:00
vga.c vga: add secondary stdvga variant 2014-04-28 11:03:32 +02:00
vga.h hw: move private headers to hw/ subdirectories. 2013-04-08 18:13:16 +02:00
vmware_vga.c vga: allow non-global vmstate 2014-04-28 10:21:55 +02:00
xenfb.c xenfb: Fix graphic_console_init() build failure 2014-03-08 11:27:00 +00:00