1. 23 Apr, 2021 1 commit
    • Qiuhao Li's avatar
      reds: fix nullptr deref in red-parse-qxl.cpp · 1fae1191
      Qiuhao Li authored
      At red-parse-qxl.cpp#L535
      
              if (qxl_flags & QXL_BITMAP_DIRECT) {
                  red->u.bitmap.data = red_get_image_data_flat(slots, group_id,
                                                               qxl->bitmap.data,
                                                               bitmap_size);
      
      Since qxl->bitmap.data may from the guest, an attacker can make the
      memslot_get_virt() check in red_get_image_data_flat() fail and
      return a nullptr.
      
      Then at red-parse-qxl.cpp#L550
      
              if (qxl_flags & QXL_BITMAP_UNSTABLE) {
                  red->u.bitmap.data->flags |= SPICE_CHUNKS_FLAGS_UNSTABLE;
              }
      
      qxl_flags is assigned as qxl->bitmap.flags before, which can also be
      controlled by the attacker, resulting in a NULL pointer dereference.
      
      This dereference seems to be introduced by commit 5ac88aa7
      
      .
      Signed-off-by: Qiuhao Li's avatarQiuhao Li <Qiuhao.Li@outlook.com>
      1fae1191
  2. 12 Apr, 2021 1 commit
  3. 11 Apr, 2021 1 commit
  4. 08 Apr, 2021 2 commits
  5. 10 Jun, 2020 1 commit
  6. 01 May, 2020 2 commits
  7. 12 Aug, 2019 1 commit
  8. 02 Jul, 2019 1 commit
  9. 19 Jun, 2019 1 commit
  10. 30 Apr, 2019 1 commit
  11. 06 Dec, 2018 10 commits
  12. 16 Nov, 2018 1 commit
  13. 03 Jul, 2018 2 commits
    • Frediano Ziglio's avatar
      red-parse-qxl: Avoid invalid flag usage · ca498457
      Frediano Ziglio authored
      
      
      self_bitmap flag is used for some complex drawing not possible
      by QXL_DRAW_COPY commands. Having this flag set causes
      spice-server do draw part of the screen, copy that part on new
      allocated image and reduce network optimisations with no visual
      changes.
      Some drivers (like Windows 10 DOD) set this flag by mistake for
      this command so reset it.
      
      More details follow.
      
      The self_bitmap flag is used for some drawing command requiring to mix
      the frame buffer with some other image. For this specific
      QXL_DRAW_COPY command self_bitmap is used by spice-server code during
      cachine/sending (the reason for the cache is to cache images sent to
      client so the relationship between the two parts of the code).
      However the self_bitmap_image (an image created in spice-server if
      this flags is set) is used only if src_bitmap of SpiceCopy structure
      (the structure used to store the QXL_DRAW_COPY command inside
      spice-server) is NULL. But in red_get_copy_ptr (red-parse-qxl.c, the
      function that parse the QXL_DRAW_COPY command form the QXL device)
      not having a src_bitmap is considered an error so the
      self_bitmap_image won't be used.
      
      Why this flag affects network performance?
      When spice-server see this flag it update the frame buffer according
      to the pending commands (commands to be sent or still to be drawn on
      frame buffer). spice-server maintain a tree of commands used to reduce
      rendering and command to send. More or less if a command is covering
      other commands (for instance filling the entire screen with a single
      color) the pending commands can be removed from the queue and not sent
      to the client. However when an update of the frame buffer is requested
      spice-server update the frame buffer removing the commands from the
      tree but not from the client queue.
      Signed-off-by: Frediano Ziglio's avatarFrediano Ziglio <fziglio@redhat.com>
      Acked-by: Christophe Fergeau's avatarChristophe Fergeau <cfergeau@redhat.com>
      ca498457
    • Frediano Ziglio's avatar
      memslot: Remove error parameter from memslot_get_virt · dde5fd04
      Frediano Ziglio authored
      
      
      Pointers to memory allocated in user space are never NULL.
      The only exception can be if you explicitly map memory at zero.
      There is however no reasons for such requirement and this practise
      was also removed from Linux due to security reasons.
      This API looks copied from a kernel environment where valid virtual
      addresses can be NULL.
      Signed-off-by: Frediano Ziglio's avatarFrediano Ziglio <fziglio@redhat.com>
      Acked-by: Christophe Fergeau's avatarChristophe Fergeau <cfergeau@redhat.com>
      dde5fd04
  14. 26 Jun, 2018 1 commit
  15. 17 Apr, 2018 2 commits
  16. 16 Apr, 2018 1 commit
  17. 10 Apr, 2018 1 commit
  18. 13 Jan, 2018 1 commit
  19. 01 Dec, 2017 1 commit
  20. 11 Oct, 2017 1 commit
  21. 02 May, 2017 3 commits
  22. 09 Mar, 2017 2 commits
  23. 06 Dec, 2016 1 commit
  24. 09 Nov, 2016 1 commit
    • Frediano Ziglio's avatar
      Make QXLMessage handling safe · 1b159834
      Frediano Ziglio authored
      
      
      The QXLMessage has no size so potentially a guest could give an
      address that cause the string to overflow out of the video memory.
      The current solution is to parse the message, release the resources
      associated without printing the message from the client.
      This also considering that the QXLMessage usage was deprecated
      a while ago (I don't know exactly when).
      This patches limit the string to 100000 characters (guest can feed
      so much logs in other way) and limit to video memory.
      Signed-off-by: Frediano Ziglio's avatarFrediano Ziglio <fziglio@redhat.com>
      Acked-by: default avatarJonathon Jongsma <jjongsma@redhat.com>
      1b159834