BF Specification of CVE-2007-1320 BitBlt Heap Buffer Overflow

//generated// Missing Code (in cirrus_invalidate_region() and others) to Quantity Correct upper bound via applying & s->cirrus_addr_mask In Use in Codebase (hw/cirrus_vga.c#L642 hw/cirrus_vga.c#L642 hw/cirrus_vga.c#L657 hw/cirrus_vga.c#L674 hw/cirrus_vga.c#L693-#L694 hw/cirrus_vga.c#L744-#L745 hw/cirrus_vga.c#L771-#L772 hw/cirrus_vga.c#L804-#L805 hw/cirrus_vga.c#L1923 hw/cirrus_vga.c#L1946) Bare-Metal (Xen bare-metal hypervisor) leads to Wrong Value (off_cur_end)

, which propagates to Wrong Size (in ‘while (off_cur < off_cur_end)’) Direct Reposition (pointer) Heap Used Codebase (hw/cirrus_vga.c#L664) in Bare-Metal (Xen bare-metal hypervisor) resulting in Over Bounds Pointer (s->vram_offset + off_cur)

, which propagates to Over Bounds Pointer (in ‘cpu_physical_memory_set_dirty(s->vram_offset + off_cur)’) Sequential Write Codebase (hw/cirrus_vga.c#L645) in Bare-Metal (Xen bare-metal hypervisor) resulting in Buffer Overflow (heap)

. If exploited this can lead to ACE (everything could be lost).

vendor:product: qemu:qemu

Bug Report

Code with Bug

Code with Fix

NVD Entry

DVRData Verification (DVR) class – Data are verified (semantics check) or corrected (assign, remove) improperly.
MADMemory Addressing (MAD) class – The pointer to an object is initialized, repositioned, or reassigned to an improper memory address.
MUSMemory Use (MUS) class – An object is initialized, read, written, or cleared improperly.
CorrectCorrect operation – Modify data (assign new value, remove) to make it accurate.
RepositionReposition operation – Change the pointer to another position inside its object.
WriteWrite operation – Change the data value of an object to another meaningful value.
Code BugCode Bug type – Defect in the implementation of the operation – proper operands over an improper operation. A first cause for the chain of weaknesses underlying a software security vulnerability. Must be fixed to resolve the vulnerability.
   Missing CodeMissing Code bug - The operation is entirely absent.
Data Error/FaultData Fault/Error type – The object data has harmed semantics or inconsistent or wrong value.
   Wrong ValueWrong Value fault/error – The value of the data is not accurate (e.g., outside of a range).
   Wrong SizeWrong Size fault/error – The value used as size does not match the actual size of the object (e.g., to restrict pointer repositioning or index increment/decrement in a repetition statement).
Address Error/FaultAddress Fault/Error type – The object address in use is wrong.
   Over Bounds PointerOver Bounds Pointer fault/error – Holds an address above the upper boundary of its object.
Memory Corruption/Disclosure Final ErrorMemory Corruption/Disclosure exploitable error type – An exploitable or undefined system behavior caused by memory addressing, allocation, use, and deallocation bugs.
   Buffer OverflowBuffer Overflow exploitable error – Writing above the upper bound of an object – aka Buffer Over-Write.
Operation AttributeDefinition
MechanismMechanism operation attribute type – Shows how the buggy/faulty operation code is performed.
   QuantityQuantity operation attribute – The operation checks data for a specific measurable value (e.g., size, time, rate, frequency).
   DirectDirect operation attribute – The operation is on a particular object element.
   SequentialSequential operation attribute – The operation is via iterating over the object elements.
Source CodeSource Code operation attribute type – Shows where the buggy/faulty operation code is in software or firmware.
   CodebaseCodebase operation attribute – The operation is in the programmer's code - in the application itself.
Execution SpaceExecution Space operation attribute type – Shows where the buggy/faulty operation code is running or with what privilege level.
   Bare-MetalBare-Metal operation attribute – The bugged code runs in an environment without privilege control. Usually, the program is the only software running and has total access to the hardware.
Operand AttributeDefinition
Data StateData State operand attribute type operand attribute – Shows where the data come from.
   In UseIn Use operand attribute – Data are from a volatile storage (e.g., RAM, cache memory).
Address StateAddress State operand attribute type - Shows where the address is in the memory layout.
   HeapHeap operand attribute – The object is a dynamically allocated data structure (e.g., via malloc() and new).
Size KindSize Kind operand attribute type – Shows what the limit for traversal of the object is.
   UsedUsed operand attribute – A supplied size for an object.