From: Li Qiang <liqiang6-s@360.cn>

Date: Wed, 1 Feb 2017 09:35:01 +0100

Subject: [PATCH] cirrus: fix oob access issue (CVE-2017-2615)

When doing bitblt copy in backward mode, we should minus the

blt width first just like the adding in the forward mode. This

can avoid the oob access of the front of vga's vram.

Signed-off-by: Li Qiang <liqiang6-s@360.cn>

{ kraxel: with backward blits (negative pitch) addr is the topmost

          address, so check it as-is against vram size ]

Cc: qemu-stable@nongnu.org

Cc: P J P <ppandit@redhat.com>

Cc: Laszlo Ersek <lersek@redhat.com>

Cc: Paolo Bonzini <pbonzini@redhat.com>

Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>

Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106)

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com

Reviewed-by: Laszlo Ersek <lersek@redhat.com>

(cherry picked from commit 62d4c6bd5263bb8413a06c80144fc678df6dfb64)

---

 hw/display/cirrus_vga.c | 7 +++----

 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c

index 7db6409..16f27e8 100644

--- a/hw/display/cirrus_vga.c

+++ b/hw/display/cirrus_vga.c

@@ -274,10 +274,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,

 {

     if (pitch < 0) {

         int64_t min = addr

-            + ((int64_t)s->cirrus_blt_height-1) * pitch;

-        int32_t max = addr

-            + s->cirrus_blt_width;

-        if (min < 0 || max > s->vga.vram_size) {

+            + ((int64_t)s->cirrus_blt_height - 1) * pitch

+            - s->cirrus_blt_width;

+        if (min < -1 || addr >= s->vga.vram_size) {

             return true;

         }

     } else {