1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-26 00:17:46 +00:00

Kernel: Fix buffer overflow in VirtIOGPU create_3d_resource(..)

This code attempts to copy the `Protocol::Resource3DSpecification`
struct into request, starting at `Protocol::ResourceCreate3D::target`
member of the `Protocol::ResourceCreate3D` struct.

The problem is that the `Protocol::Resource3DSpecification` struct
does not having the trailing `u32 padding` that the `ResourceCreate3D`
struct has. Leading to memcopy overrunning the struct and corrupting
32 bits of data trailing the struct.

Found by SonarCloud:
 - Memory copy function overflows the destination buffer.
This commit is contained in:
Brian Gianforcaro 2022-03-13 20:07:31 -07:00 committed by Andreas Kling
parent af50895fa3
commit c0ed656c94
3 changed files with 7 additions and 2 deletions

View file

@ -328,6 +328,7 @@ struct Resource3DSpecification {
u32 last_level;
u32 nr_samples;
u32 flags;
u32 padding;
};
}