main/xen: security fixes #6919 (XSA-207, CVE-2017-2615, CVE-2017-2620)

7 files changed, 355 insertions, 1 deletions

diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD
index d263116b59..1d3c162f42 100644
--- a/main/xen/APKBUILD
+++ b/main/xen/APKBUILD
@@ -4,7 +4,7 @@
 # Maintainer: William Pitcock <nenolod@dereferenced.org>
 pkgname=xen
 pkgver=4.5.5
-pkgrel=2
+pkgrel=3
 pkgdesc="Xen hypervisor"
 url="http://www.xen.org/"
 arch="x86_64"
@@ -34,6 +34,12 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g
 	xsa201-4.patch
 	xsa202-4.6.patch
 	xsa204-4.5.patch
+	xsa207.patch
+	xsa208-qemut.patch
+	xsa208-qemuu-4.7.patch
+	xsa209-qemuu-0001-display-cirrus-ignore-source-pitch-value-as-needed-i.patch
+	xsa209-qemuu-0002-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch
+	xsa209-qemut.patch
 	xsa211-qemut-4.5.patch
 	xsa211-qemuu-4.6.patch
 	xsa212.patch
@@ -93,6 +99,10 @@ _builddir="$srcdir"/$pkgname-$pkgver
 #     - CVE-2017-8903 XSA-213
 #     - CVE-2017-8904 XSA-214
 #     - CVE-2017-8905 XSA-215
+#   4.5.5-r3:
+#     - XSA-207
+#     - CVE-2017-2615 XSA-208
+#     - CVE-2017-2620 XSA-209
 
 prepare() {
 	local i
@@ -248,6 +258,12 @@ add3ad7828d582fc272073e906ce17a1  xsa200-4.6.patch
 9cb1516d783fc9c765e9a37574bb3cbd  xsa201-4.patch
 a5a39c6354c952095e1d78a582385933  xsa202-4.6.patch
 9449168ccbc38442b8f55ad9c0964b9f  xsa204-4.5.patch
+31058e5dfdf50c171d450e27776d5d07  xsa207.patch
+91f0e92cde4c3d88a792699d9ea43f00  xsa208-qemut.patch
+ef703d045bf84ef27c90ce3190e25e33  xsa208-qemuu-4.7.patch
+fa347ce5494be0a9199b052eede3ca19  xsa209-qemuu-0001-display-cirrus-ignore-source-pitch-value-as-needed-i.patch
+1dc8ad4b8a7ad8412c64a71a79c836c1  xsa209-qemuu-0002-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch
+d3307c3a5e6473717f34b8aff693f678  xsa209-qemut.patch
 8a3dd57e9587f4696ef1719e442f7821  xsa211-qemut-4.5.patch
 a300eae67ae77cf4d2e0741dad01ee29  xsa211-qemuu-4.6.patch
 8d3c76a3954dfa359d2f9fe9b59c1828  xsa212.patch
@@ -292,6 +308,12 @@ d662353629117b9c978cf5444995b41e77b079cc665e078ae7868b715c47c382  xsa197-4.5-qem
 388d548cd4e30883ae100863d33e792869e7dbd86054299a91b64db6d6599919  xsa201-4.patch
 e007187639f5392a9256979504d50eff0ae38309a61524ea42c4150fab38b6f4  xsa202-4.6.patch
 e523b65ba122c8e22d32004d2035facaf06295094fdc8b67c151b6f44799ef0b  xsa204-4.5.patch
+e9bcf807b3785ac4d78b621fba4a9395cd713d6e57cdaa66559bccf95ded1cd9  xsa207.patch
+7587967c37af44064a48a244f86e828502f56f6f7cbc76439b7566defcd1c6ee  xsa208-qemut.patch
+de706f2b87dcfa5ff9cab37f9640fbd59a90d7f93345eb0c4b23966fd9ed1c10  xsa208-qemuu-4.7.patch
+501566e24ee8b4df6b97bc050bcdc11ea7b12801cba7446d5179788dbb3e5190  xsa209-qemuu-0001-display-cirrus-ignore-source-pitch-value-as-needed-i.patch
+78f45281545ed9e5e7c41010dbcb1c3e28aaf3609608568b1d45bbe30e4b5336  xsa209-qemuu-0002-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch
+af15d6e6a52f01dbdfc2a4b8a7931d4305fc89b003558f10a548a644dbdb8245  xsa209-qemut.patch
 851b3bb0686b116d1462185a02c652de53cef7f5da2d6a6947c39885a74c79ff  xsa211-qemut-4.5.patch
 be0049f39b306a3dfb703b73eb60ecf35b9cc7a3d4e9481fd8314fd7e3704573  xsa211-qemuu-4.6.patch
 be1255bcda06158cdb86eb5297e8a271e05318e88cd21035c58a67f9ada6ccba  xsa212.patch
@@ -336,6 +358,12 @@ afed1ed3c5b4dd3a1d2c1c0fe824cdeb58efdc40fdaf5ce439deb2feef63141168114ea362fc5c68
 1761ca422fe9e3caee3442b43b84da49721a01ed8417f653c568695b08718c40be1493cc7a0a6145c7ce195c7fb0c753b190fe2f1782d5242e1e304c18005610  xsa201-4.patch
 dee7a595324ea5de3754c9aad2422fc2021bcb53999e344dbe6e4edfd4772a5ed20e8ebfb40750b81287a2a022037d49cbe4f0f7ba481ae0ac79a4249ef630bf  xsa202-4.6.patch
 0ab83e29f10288f24f46de6f9ea267a3ee6eaef356e1905318006d20ffa1dba43c7661229246e394c8454c15e3127df7de026bde02ab3614e1c2ef8fc7396850  xsa204-4.5.patch
+89848dcdfaebf462765b2a32c9c57d5404930721ff92f7cb05c221a99be2b82fb23d31f91f52fbf32874a69065a2e8ad921460a3655f4b03cf827a8203137fac  xsa207.patch
+ef8422f79c1e791f19f6346ecf0de1d7e9735f9d623b6535a10a44b045ca4379b1df5701193624e729be4ca26746407dee42e6edb9498f004a2819385b82bde1  xsa208-qemut.patch
+8b1a507abc7b0e51d870e845e9f27d7ad19b514a93f57942fee1ee0aabd8118311051ae00a556d4399583f8d628452e4b385ef142306ecadf0518568f0cd8d7f  xsa208-qemuu-4.7.patch
+5da7ccb38726634251905fed692ee8c9bbe480c33b0e172651fc7316ef84fdfac5d660ba309944800e3344f0260efae32444f3cf9ec4f8dfc3f848cdb8626d20  xsa209-qemuu-0001-display-cirrus-ignore-source-pitch-value-as-needed-i.patch
+156fec680ab0b0652cea8409e0f86110c796d5b166466bb00743d35cd2289a91bab1192a73f77f1fa33be615743cf3dff7c3c848cc0c93ae35843e0e52fa3405  xsa209-qemuu-0002-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch
+cfc0178fd1d22b99d7debd94d5271967d8daeb7f132e8853b90e0e5f1793635939beba5b0ed6984b635a4c44ef2c02df7bedf7a98abf969e307427d06d2e4412  xsa209-qemut.patch
 d8a567dde6af0c49a939c89eaeb6127912168f180bbe32db0cf9a1af631370f0658c55129140431abb7c8c096a2784bfeb80849167c5672bdb7ed50fa7418568  xsa211-qemut-4.5.patch
 a21ae520900f31b77a50cb9956499d884d93802962e0f10503c61b8962ad76a38655a17bc9ef03057b5c23d4f4c5b6a951fd3ad6aa5bbd5ad7e939b29706b7c6  xsa211-qemuu-4.6.patch
 d012556c6b439629c5e4284a0de2f5ae70cda3db4f6f42373b8719509fec3bb0bb667a50484fd1e6c1129dcd2bff550a3eb9ead0f676fb626e6263ac98023e06  xsa212.patch
diff --git a/main/xen/xsa207.patch b/main/xen/xsa207.patch
new file mode 100644
index 0000000000..6fb86fc9d5
--- /dev/null
+++ b/main/xen/xsa207.patch
@@ -0,0 +1,31 @@
+From: Oleksandr Tyshchenko <olekstysh@gmail.com>
+Subject: IOMMU: always call teardown callback
+
+There is a possible scenario when (d)->need_iommu remains unset
+during guest domain execution. For example, when no devices
+were assigned to it. Taking into account that teardown callback
+is not called when (d)->need_iommu is unset we might have unreleased
+resourses after destroying domain.
+
+So, always call teardown callback to roll back actions
+that were performed in init callback.
+
+This is XSA-207.
+
+Signed-off-by: Oleksandr Tyshchenko <olekstysh@gmail.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+Tested-by: Jan Beulich <jbeulich@suse.com>
+Tested-by: Julien Grall <julien.grall@arm.com>
+
+--- a/xen/drivers/passthrough/iommu.c
++++ b/xen/drivers/passthrough/iommu.c
+@@ -244,8 +244,7 @@ void iommu_domain_destroy(struct domain
+     if ( !iommu_enabled || !dom_iommu(d)->platform_ops )
+         return;
+ 
+-    if ( need_iommu(d) )
+-        iommu_teardown(d);
++    iommu_teardown(d);
+ 
+     arch_iommu_domain_destroy(d);
+ }
diff --git a/main/xen/xsa208-qemut.patch b/main/xen/xsa208-qemut.patch
new file mode 100644
index 0000000000..2e5827275b
--- /dev/null
+++ b/main/xen/xsa208-qemut.patch
@@ -0,0 +1,56 @@
+From 8f63265efeb6f92e63f7e749cb26131b68b20df7 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Mon, 13 Feb 2017 15:22:15 +0000
+Subject: [PATCH] cirrus: fix oob access issue (CVE-2017-2615)
+
+When doing bitblt copy in backward mode, we should minus the
+blt width first just like the adding in the forward mode. This
+can avoid the oob access of the front of vga's vram.
+
+This is XSA-208.
+
+upstream-commit-id: 62d4c6bd5263bb8413a06c80144fc678df6dfb64
+
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+
+{ kraxel: with backward blits (negative pitch) addr is the topmost
+          address, so check it as-is against vram size ]
+
+[ This is CVE-2017-2615 / XSA-208  - Ian Jackson ]
+
+Cc: qemu-stable@nongnu.org
+Cc: P J P <ppandit@redhat.com>
+Cc: Laszlo Ersek <lersek@redhat.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106)
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com
+Reviewed-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
+Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
+---
+ tools/qemu-xen-traditional/hw/cirrus_vga.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/tools/qemu-xen-traditional/hw/cirrus_vga.c b/tools/qemu-xen-traditional/hw/cirrus_vga.c
+index e6c3893..364e22d 100644
+--- a/tools/qemu-xen-traditional/hw/cirrus_vga.c
++++ b/tools/qemu-xen-traditional/hw/cirrus_vga.c
+@@ -308,10 +308,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
+ {
+     if (pitch < 0) {
+         int64_t min = addr
+-            + ((int64_t)s->cirrus_blt_height-1) * pitch;
+-        int32_t max = addr
+-            + s->cirrus_blt_width;
+-        if (min < 0 || max >= s->vram_size) {
++            + ((int64_t)s->cirrus_blt_height - 1) * pitch
++            - s->cirrus_blt_width;
++        if (min < -1 || addr >= s->vram_size) {
+             return true;
+         }
+     } else {
+-- 
+2.1.4
+
diff --git a/main/xen/xsa208-qemuu-4.7.patch b/main/xen/xsa208-qemuu-4.7.patch
new file mode 100644
index 0000000000..abd85c77e6
--- /dev/null
+++ b/main/xen/xsa208-qemuu-4.7.patch
@@ -0,0 +1,53 @@
+From 8f63265efeb6f92e63f7e749cb26131b68b20df7 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Mon, 13 Feb 2017 15:22:15 +0000
+Subject: [PATCH] cirrus: fix oob access issue (CVE-2017-2615)
+
+When doing bitblt copy in backward mode, we should minus the
+blt width first just like the adding in the forward mode. This
+can avoid the oob access of the front of vga's vram.
+
+This is XSA-208.
+
+upstream-commit-id: 62d4c6bd5263bb8413a06c80144fc678df6dfb64
+
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+
+{ kraxel: with backward blits (negative pitch) addr is the topmost
+          address, so check it as-is against vram size ]
+
+Cc: qemu-stable@nongnu.org
+Cc: P J P <ppandit@redhat.com>
+Cc: Laszlo Ersek <lersek@redhat.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106)
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com
+Reviewed-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
+---
+ tools/qemu-xen/hw/display/cirrus_vga.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/tools/qemu-xen/hw/display/cirrus_vga.c b/tools/qemu-xen/hw/display/cirrus_vga.c
+index 5198037..7bf3707 100644
+--- a/tools/qemu-xen/hw/display/cirrus_vga.c
++++ b/tools/qemu-xen/hw/display/cirrus_vga.c
+@@ -272,10 +272,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
+ {
+     if (pitch < 0) {
+         int64_t min = addr
+-            + ((int64_t)s->cirrus_blt_height-1) * pitch;
+-        int32_t max = addr
+-            + s->cirrus_blt_width;
+-        if (min < 0 || max >= s->vga.vram_size) {
++            + ((int64_t)s->cirrus_blt_height - 1) * pitch
++            - s->cirrus_blt_width;
++        if (min < -1 || addr >= s->vga.vram_size) {
+             return true;
+         }
+     } else {
+-- 
+2.1.4
+
diff --git a/main/xen/xsa209-qemut.patch b/main/xen/xsa209-qemut.patch
new file mode 100644
index 0000000000..23225d0d29
--- /dev/null
+++ b/main/xen/xsa209-qemut.patch
@@ -0,0 +1,54 @@
+From: Gerd Hoffmann <kraxel@redhat.com>
+Subject: [PATCH 3/3] cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo
+
+CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination
+and blit width, at all.  Oops.  Fix it.
+
+Security impact: high.
+
+The missing blit destination check allows to write to host memory.
+Basically same as CVE-2014-8106 for the other blit variants.
+
+The missing blit width check allows to overflow cirrus_bltbuf,
+with the attractive target cirrus_srcptr (current cirrus_bltbuf write
+position) being located right after cirrus_bltbuf in CirrusVGAState.
+
+Due to cirrus emulation writing cirrus_bltbuf bytewise the attacker
+hasn't full control over cirrus_srcptr though, only one byte can be
+changed.  Once the first byte has been modified further writes land
+elsewhere.
+
+[ This is CVE-2017-2620 / XSA-209  - Ian Jackson ]
+
+Fixed compilation by removing extra parameter to blit_is_unsafe. -iwj
+
+Reported-by: Gerd Hoffmann <ghoffman@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
+---
+diff --git a/tools/qemu-xen-traditional/hw/cirrus_vga.c b/tools/qemu-xen-traditional/hw/cirrus_vga.c
+index e6c3893..45facb6 100644
+--- a/tools/qemu-xen-traditional/hw/cirrus_vga.c
++++ b/tools/qemu-xen-traditional/hw/cirrus_vga.c
+@@ -900,6 +900,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s)
+ {
+     int w;
+ 
++    if (blit_is_unsafe(s)) {
++        return 0;
++    }
++
+     s->cirrus_blt_mode &= ~CIRRUS_BLTMODE_MEMSYSSRC;
+     s->cirrus_srcptr = &s->cirrus_bltbuf[0];
+     s->cirrus_srcptr_end = &s->cirrus_bltbuf[0];
+@@ -925,6 +929,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s)
+ 	}
+         s->cirrus_srccounter = s->cirrus_blt_srcpitch * s->cirrus_blt_height;
+     }
++
++    /* the blit_is_unsafe call above should catch this */
++    assert(s->cirrus_blt_srcpitch <= CIRRUS_BLTBUFSIZE);
++
+     s->cirrus_srcptr = s->cirrus_bltbuf;
+     s->cirrus_srcptr_end = s->cirrus_bltbuf + s->cirrus_blt_srcpitch;
+     cirrus_update_memory_access(s);
diff --git a/main/xen/xsa209-qemuu-0001-display-cirrus-ignore-source-pitch-value-as-needed-i.patch b/main/xen/xsa209-qemuu-0001-display-cirrus-ignore-source-pitch-value-as-needed-i.patch
new file mode 100644
index 0000000000..95f522c3d5
--- /dev/null
+++ b/main/xen/xsa209-qemuu-0001-display-cirrus-ignore-source-pitch-value-as-needed-i.patch
@@ -0,0 +1,72 @@
+From 52b7f43c8fa185ab856bcaacda7abc9a6fc07f84 Mon Sep 17 00:00:00 2001
+From: Bruce Rogers <brogers@suse.com>
+Date: Tue, 21 Feb 2017 10:54:38 -0800
+Subject: [PATCH 1/2] display: cirrus: ignore source pitch value as needed in
+ blit_is_unsafe
+
+Commit 4299b90 added a check which is too broad, given that the source
+pitch value is not required to be initialized for solid fill operations.
+This patch refines the blit_is_unsafe() check to ignore source pitch in
+that case. After applying the above commit as a security patch, we
+noticed the SLES 11 SP4 guest gui failed to initialize properly.
+
+Signed-off-by: Bruce Rogers <brogers@suse.com>
+Message-id: 20170109203520.5619-1-brogers@suse.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ tools/qemu-xen/hw/display/cirrus_vga.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/tools/qemu-xen/hw/display/cirrus_vga.c b/tools/qemu-xen/hw/display/cirrus_vga.c
+index 7bf3707..34a6900 100644
+--- a/tools/qemu-xen/hw/display/cirrus_vga.c
++++ b/tools/qemu-xen/hw/display/cirrus_vga.c
+@@ -288,7 +288,7 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
+     return false;
+ }
+ 
+-static bool blit_is_unsafe(struct CirrusVGAState *s)
++static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only)
+ {
+     /* should be the case, see cirrus_bitblt_start */
+     assert(s->cirrus_blt_width > 0);
+@@ -302,6 +302,9 @@ static bool blit_is_unsafe(struct CirrusVGAState *s)
+                               s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) {
+         return true;
+     }
++    if (dst_only) {
++        return false;
++    }
+     if (blit_region_is_unsafe(s, s->cirrus_blt_srcpitch,
+                               s->cirrus_blt_srcaddr & s->cirrus_addr_mask)) {
+         return true;
+@@ -667,7 +670,7 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState * s,
+ 
+     dst = s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask);
+ 
+-    if (blit_is_unsafe(s))
++    if (blit_is_unsafe(s, false))
+         return 0;
+ 
+     (*s->cirrus_rop) (s, dst, src,
+@@ -685,7 +688,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop)
+ {
+     cirrus_fill_t rop_func;
+ 
+-    if (blit_is_unsafe(s)) {
++    if (blit_is_unsafe(s, true)) {
+         return 0;
+     }
+     rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1];
+@@ -784,7 +787,7 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
+ 
+ static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
+ {
+-    if (blit_is_unsafe(s))
++    if (blit_is_unsafe(s, false))
+         return 0;
+ 
+     cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr,
+-- 
+2.1.4
+
diff --git a/main/xen/xsa209-qemuu-0002-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch b/main/xen/xsa209-qemuu-0002-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch
new file mode 100644
index 0000000000..f6a5880516
--- /dev/null
+++ b/main/xen/xsa209-qemuu-0002-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch
@@ -0,0 +1,60 @@
+From 15268f91fbe75b38a851c458aef74e693d646ea5 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 21 Feb 2017 10:54:59 -0800
+Subject: [PATCH 2/2] cirrus: add blit_is_unsafe call to
+ cirrus_bitblt_cputovideo
+
+CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination
+and blit width, at all.  Oops.  Fix it.
+
+Security impact: high.
+
+The missing blit destination check allows to write to host memory.
+Basically same as CVE-2014-8106 for the other blit variants.
+
+The missing blit width check allows to overflow cirrus_bltbuf,
+with the attractive target cirrus_srcptr (current cirrus_bltbuf write
+position) being located right after cirrus_bltbuf in CirrusVGAState.
+
+Due to cirrus emulation writing cirrus_bltbuf bytewise the attacker
+hasn't full control over cirrus_srcptr though, only one byte can be
+changed.  Once the first byte has been modified further writes land
+elsewhere.
+
+[ This is CVE-2017-2620 / XSA-209  - Ian Jackson ]
+
+Reported-by: Gerd Hoffmann <ghoffman@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ tools/qemu-xen/hw/display/cirrus_vga.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/tools/qemu-xen/hw/display/cirrus_vga.c b/tools/qemu-xen/hw/display/cirrus_vga.c
+index 34a6900..5901250 100644
+--- a/tools/qemu-xen/hw/display/cirrus_vga.c
++++ b/tools/qemu-xen/hw/display/cirrus_vga.c
+@@ -865,6 +865,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s)
+ {
+     int w;
+ 
++    if (blit_is_unsafe(s, true)) {
++        return 0;
++    }
++
+     s->cirrus_blt_mode &= ~CIRRUS_BLTMODE_MEMSYSSRC;
+     s->cirrus_srcptr = &s->cirrus_bltbuf[0];
+     s->cirrus_srcptr_end = &s->cirrus_bltbuf[0];
+@@ -890,6 +894,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s)
+ 	}
+         s->cirrus_srccounter = s->cirrus_blt_srcpitch * s->cirrus_blt_height;
+     }
++
++    /* the blit_is_unsafe call above should catch this */
++    assert(s->cirrus_blt_srcpitch <= CIRRUS_BLTBUFSIZE);
++
+     s->cirrus_srcptr = s->cirrus_bltbuf;
+     s->cirrus_srcptr_end = s->cirrus_bltbuf + s->cirrus_blt_srcpitch;
+     cirrus_update_memory_access(s);
+-- 
+2.1.4
+