Репозиторий Sisyphus
Последнее обновление: 1 октября 2023 | Пакетов: 18631 | Посещений: 37047248
en ru br
Репозитории ALT

Группа :: Графические оболочки/Прочее
Пакет: SPICE

 Главная   Изменения   Спек   Патчи   Sources   Загрузить   Gear   Bugs and FR  Repocop 

Патч: 0001-reds-fix-nullptr-deref-in-red-parse-qxlcpp.patch
Скачать


From 1fae1191e55638ff7593e3bf2d8d14cafd884305 Mon Sep 17 00:00:00 2001
From: Qiuhao Li <Qiuhao.Li@outlook.com>
Date: Fri, 23 Apr 2021 10:10:50 +0800
Subject: [PATCH] reds: fix nullptr deref in red-parse-qxl.cpp
At red-parse-qxl.cpp#L535
        if (qxl_flags & QXL_BITMAP_DIRECT) {
            red->u.bitmap.data = red_get_image_data_flat(slots, group_id,
                                                         qxl->bitmap.data,
                                                         bitmap_size);
Since qxl->bitmap.data may from the guest, an attacker can make the
memslot_get_virt() check in red_get_image_data_flat() fail and
return a nullptr.
Then at red-parse-qxl.cpp#L550
        if (qxl_flags & QXL_BITMAP_UNSTABLE) {
            red->u.bitmap.data->flags |= SPICE_CHUNKS_FLAGS_UNSTABLE;
        }
qxl_flags is assigned as qxl->bitmap.flags before, which can also be
controlled by the attacker, resulting in a NULL pointer dereference.
This dereference seems to be introduced by commit 5ac88aa7.
Signed-off-by: Qiuhao Li <Qiuhao.Li@outlook.com>
---
 server/red-parse-qxl.cpp | 3 +++
 1 file changed, 3 insertions(+)
diff --git a/server/red-parse-qxl.cpp b/server/red-parse-qxl.cpp
index 9724401..3575436 100644
--- a/server/red-parse-qxl.cpp
+++ b/server/red-parse-qxl.cpp
@@ -535,6 +535,9 @@ static SpiceImage *red_get_image(RedMemSlotInfo *slots, int group_id,
             red->u.bitmap.data = red_get_image_data_flat(slots, group_id,
                                                          qxl->bitmap.data,
                                                          bitmap_size);
+            if (red->u.bitmap.data == nullptr) {
+                goto error;
+            }
         } else {
             size = red_get_data_chunks(slots, group_id,
                                        &chunks, qxl->bitmap.data);
--
libgit2 1.3.0
 
дизайн и разработка: Vladimir Lettiev aka crux © 2004-2005, Andrew Avramenko aka liks © 2007-2008
текущий майнтейнер: Michael Shigorin