From e7f77583b7b80b072152fc4218c06f79497bfe78 Mon Sep 17 00:00:00 2001 From: Mauro Matteo Cascella Date: Tue, 4 Jul 2023 10:41:22 +0200 Subject: [PATCH 1/2] ui/vnc-clipboard: fix infinite loop in inflate_buffer (CVE-2023-3255) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit A wrong exit condition may lead to an infinite loop when inflating a valid zlib buffer containing some extra bytes in the `inflate_buffer` function. The bug only occurs post-authentication. Return the buffer immediately if the end of the compressed data has been reached (Z_STREAM_END). Fixes: CVE-2023-3255 Fixes: 0bf41cab ("ui/vnc: clipboard support") Reported-by: Kevin Denis Signed-off-by: Mauro Matteo Cascella Reviewed-by: Marc-André Lureau Tested-by: Marc-André Lureau Message-ID: <20230704084210.101822-1-mcascell@redhat.com> (cherry picked from commit d921fea338c1059a27ce7b75309d7a2e485f710b) Resolves: bsc#1213001 Signed-off-by: Dario Faggioli --- ui/vnc-clipboard.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/ui/vnc-clipboard.c b/ui/vnc-clipboard.c index 8aeadfaa21..c759be3438 100644 --- a/ui/vnc-clipboard.c +++ b/ui/vnc-clipboard.c @@ -50,8 +50,11 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t in_len, uint32_t *size) ret = inflate(&stream, Z_FINISH); switch (ret) { case Z_OK: - case Z_STREAM_END: break; + case Z_STREAM_END: + *size = stream.total_out; + inflateEnd(&stream); + return out; case Z_BUF_ERROR: out_len <<= 1; if (out_len > (1 << 20)) { @@ -66,11 +69,6 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t in_len, uint32_t *size) } } - *size = stream.total_out; - inflateEnd(&stream); - - return out; - err_end: inflateEnd(&stream); err: -- 2.51.1 From a555a25e73d12d4e4b6774a8afc4c906fa2b8178 Mon Sep 17 00:00:00 2001 From: Olaf Hering Date: Wed, 12 Jul 2023 09:47:22 +0200 Subject: [PATCH 2/2] hw/ide/piix: properly initialize the BMIBA register MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit According to the 82371FB documentation (82371FB.pdf, 2.3.9. BMIBA-BUS MASTER INTERFACE BASE ADDRESS REGISTER, April 1997), the register is 32bit wide. To properly reset it to default values, all 32bit need to be cleared. Bit #0 "Resource Type Indicator (RTE)" needs to be enabled. The initial change wrote just the lower 8 bit, leaving parts of the "Bus Master Interface Base Address" address at bit 15:4 unchanged. Fixes: e6a71ae327 ("Add support for 82371FB (Step A1) and Improved support for 82371SB (Function 1)") Signed-off-by: Olaf Hering Reviewed-by: Bernhard Beschow Reviewed-by: Philippe Mathieu-Daudé Message-ID: <20230712074721.14728-1-olaf@aepfle.de> Signed-off-by: Paolo Bonzini (cherry picked from commit 230dfd9257e92259876c113e58b5f0d22b056d2e) Resolves: bsc#1179993, bsc#1181740 Signed-off-by: Olaf Hering Signed-off-by: Dario Faggioli --- hw/ide/piix.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/ide/piix.c b/hw/ide/piix.c index 41d60921e3..17ec304064 100644 --- a/hw/ide/piix.c +++ b/hw/ide/piix.c @@ -118,7 +118,7 @@ static void piix_ide_reset(DeviceState *dev) pci_set_word(pci_conf + PCI_COMMAND, 0x0000); pci_set_word(pci_conf + PCI_STATUS, PCI_STATUS_DEVSEL_MEDIUM | PCI_STATUS_FAST_BACK); - pci_set_byte(pci_conf + 0x20, 0x01); /* BMIBA: 20-23h */ + pci_set_long(pci_conf + 0x20, 0x1); /* BMIBA: 20-23h */ } static bool pci_piix_init_bus(PCIIDEState *d, unsigned i, Error **errp) -- 2.51.1