From a77c0c98570dbfcd0376d115733393b3658ffff9 Mon Sep 17 00:00:00 2001 From: Jon Maloy Date: Mon, 5 Dec 2022 15:32:55 -0500 Subject: [PATCH 6/6] hw/display/qxl: Assert memory slot fits in preallocated MemoryRegion MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit RH-Author: Jon Maloy RH-MergeRequest: 242: hw/display/qxl: Have qxl_log_command Return early if no log_cmd handler RH-Bugzilla: 2152085 RH-Acked-by: Gerd Hoffmann RH-Acked-by: Marc-André Lureau RH-Acked-by: Stefan Hajnoczi RH-Commit: [5/5] 90eb0289592bedb0c9c087190083c85b042f8908 (jmaloy/jons-qemu-kvm) BZ: https://bugzilla.redhat.com/show_bug.cgi?id=2152085 CVE: CVE-2022-4144 Upstream: Merged commit 86fdb0582c653a9824183679403a85f588260d62 Author: Philippe Mathieu-Daudé Date: Mon Nov 28 21:27:41 2022 +0100 hw/display/qxl: Assert memory slot fits in preallocated MemoryRegion Signed-off-by: Philippe Mathieu-Daudé Signed-off-by: Stefan Hajnoczi Message-Id: <20221128202741.4945-6-philmd@linaro.org> (cherry picked from commit 86fdb0582c653a9824183679403a85f588260d62) Signed-off-by: Jon Maloy --- hw/display/qxl.c | 1 + 1 file changed, 1 insertion(+) diff --git a/hw/display/qxl.c b/hw/display/qxl.c index 2a4b2d4158..bcd9e8716a 100644 --- a/hw/display/qxl.c +++ b/hw/display/qxl.c @@ -1372,6 +1372,7 @@ static int qxl_add_memslot(PCIQXLDevice *d, uint32_t slot_id, uint64_t delta, qxl_set_guest_bug(d, "%s: pci_region = %d", __func__, pci_region); return 1; } + assert(guest_end - pci_start <= memory_region_size(mr)); virt_start = (intptr_t)memory_region_get_ram_ptr(mr); memslot.slot_id = slot_id; -- 2.37.3