On Di, 2016-12-20 at 16:34 +0530, P J P wrote:
>
> Ping..!
Queued up now. But I don't feel like sending a pull request hours
before disappearing into the xmas holidays, so that'll happen in
january.
cheers,
Gerd
Hi
On Tue, Dec 20, 2016 at 12:56 PM P J P wrote:
> Hello Marc,
>
> +-- On Tue, 20 Dec 2016, Marc-André Lureau wrote --+
> | > +if (!max_size) {
> |
> | Shouldn't it check for >= sizeof(union virgl_caps) ? (since that's what
> | virglrenderer vrend_renderer_fill_caps() expects)
>
> No, 'm
Hello Marc,
+-- On Tue, 20 Dec 2016, Marc-André Lureau wrote --+
| > +if (!max_size) {
|
| Shouldn't it check for >= sizeof(union virgl_caps) ? (since that's what
| virglrenderer vrend_renderer_fill_caps() expects)
No, 'max_size' isn't set by a user, it's set by the library function
'vr
Hi
On Wed, Dec 14, 2016 at 8:02 AM P J P wrote:
> From: Prasad J Pandit
>
> Virtio GPU device while processing 'VIRTIO_GPU_CMD_GET_CAPSET'
> command, retrieves the maximum capabilities size to fill in the
> response object. It continues to fill in capabilities even if
> retrieved 'max_size' is
+-- On Wed, 14 Dec 2016, P J P wrote --+
| From: Prasad J Pandit
|
| Virtio GPU device while processing 'VIRTIO_GPU_CMD_GET_CAPSET'
| command, retrieves the maximum capabilities size to fill in the
| response object. It continues to fill in capabilities even if
| retrieved 'max_size' is zero(0),
+-- On Tue, 13 Dec 2016, Marc-André Lureau wrote --+
| > -resp = g_malloc(sizeof(*resp) + max_size);
| > +if (!max_size) {
| > +cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
| > +return;
| > +}
| >
| > +resp = g_malloc(sizeof(*resp) + max_size);
| > resp->
From: Prasad J Pandit
Virtio GPU device while processing 'VIRTIO_GPU_CMD_GET_CAPSET'
command, retrieves the maximum capabilities size to fill in the
response object. It continues to fill in capabilities even if
retrieved 'max_size' is zero(0), thus resulting in OOB access.
Add check to avoid it.
Hi
On Tue, Dec 13, 2016 at 5:27 PM P J P wrote:
> +-- On Tue, 13 Dec 2016, Gerd Hoffmann wrote --+
> | I guess we want throw an error (VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER)
> | in the error case then instead of leaving resp->hdr.type unset.
>
> I see, okay. Does the patch below look okay?
>
>
+-- On Tue, 13 Dec 2016, Gerd Hoffmann wrote --+
| I guess we want throw an error (VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER)
| in the error case then instead of leaving resp->hdr.type unset.
I see, okay. Does the patch below look okay?
===
diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virti
> | This is not the guest returning the size, it is the host renderer
> | library saying how much space it needs ...
>
> The library funcion checks 'capset_id' supplied via the 'cmd' object, as
> 'gc' is initialised from a given command 'cmd'. It sets 'max_size=0' if
> capset_id != VREND_CAP_S
Hello Gerd,
+-- On Tue, 13 Dec 2016, Gerd Hoffmann wrote --+
| On Di, 2016-12-13 at 12:44 +0530, P J P wrote:
| > From: Prasad J Pandit
| >
| > Virtio GPU device while processing 'VIRTIO_GPU_CMD_GET_CAPSET'
| > command, retrieves the maximum capabilities size to fill in the
| > response objec
+-- On Tue, 13 Dec 2016, Pankaj Gupta wrote --+
| > +if (max_size) {
| > +resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
| > +virgl_renderer_fill_caps(gc.capset_id,
| > + gc.capset_version,
| > + (void *)resp->capset_d
On Di, 2016-12-13 at 12:44 +0530, P J P wrote:
> From: Prasad J Pandit
>
> Virtio GPU device while processing 'VIRTIO_GPU_CMD_GET_CAPSET'
> command, retrieves the maximum capabilities size to fill in the
> response object. It continues to fill in capabilities even if
> retrieved 'max_size' is zer
>
> From: Prasad J Pandit
>
> Virtio GPU device while processing 'VIRTIO_GPU_CMD_GET_CAPSET'
> command, retrieves the maximum capabilities size to fill in the
> response object. It continues to fill in capabilities even if
> retrieved 'max_size' is zero(0), thus resulting in OOB access.
> Add c
From: Prasad J Pandit
Virtio GPU device while processing 'VIRTIO_GPU_CMD_GET_CAPSET'
command, retrieves the maximum capabilities size to fill in the
response object. It continues to fill in capabilities even if
retrieved 'max_size' is zero(0), thus resulting in OOB access.
Add check to avoid it.
15 matches
Mail list logo
