VNC heap corruption at 1400x1050 (with % 16 != 0)

Bug #575887 reported by Andy Lutomirski on 2010-05-05
This bug affects 1 person
Affects Status Importance Assigned to Milestone

Bug Description

vnc_refresh_server_surface assumes that the display width
is a multiple of 16. If it's not, then it accesses beyond the end of the row
by a few bytes. On all but the last row, this is mostly harmless (it can
result in unnecessarily marking the end of the row dirty), but on the last row,
it copies over heap metadata. This triggers a crash when changing resolutions or disconnecting and reconnecting a client.

I can trigger this reliably with a Windows 7 guest at 1400x1050 with -vga std.

The attached patch (rather ugly, with debugging code for good measure) partially fixes the issue. There's still a black stripe on the right side of the screen, presumably because there are other bugs in vnc.c (or I messed up the patch).

I'm marking this as a security vulnerability because it allows the guest to overwrite host memory.

The same issue is tracked in Red Hat's bugzilla here:

Andy Lutomirski (luto-mit) wrote :
visibility: private → public

Marking this invalid against qemu as it doesn't support that non-standard VESA resolution.

Changed in qemu:
status: New → Confirmed
importance: Undecided → High
status: Confirmed → Invalid
sciencewhiz (christmasboy-81) wrote :

Where can I find a list of supported QEMU resolutions?

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers