Re: [Qemu-devel] [PULL 3/3] cirrus: Fix host CPU blits

[Peter Lieven <lieven-lists@dlhnet.de>]

Hi Benjamin,

On 11.07.2014 12:24, Gerd Hoffmann wrote:
> From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
>
> Commit b2eb849d4b1fdb6f35d5c46958c7f703cf64cfef
> "CVE-2007-1320 - Cirrus LGD-54XX "bitblt" heap overflow" broke
> cpu to video blits.
>
> When the ROP function is called from cirrus_bitblt_cputovideo_next(),
> we pass 0 for the pitch but only operate on one line at a time. The
> added test was tripping because after the initial substraction, the
> pitch becomes negative. Make the test only trip when the height is
> larger than one (ie. the pitch is actually used).
>
> This fixes HW cursor support in Windows NT4.0 (which otherwise was
> a white rectangle) and general display of icons in that OS when using
> 8bpp mode.
>
> Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> ---
>   hw/display/cirrus_vga_rop.h | 3 +--
>   1 file changed, 1 insertion(+), 2 deletions(-)
>
> diff --git a/hw/display/cirrus_vga_rop.h b/hw/display/cirrus_vga_rop.h
> index 9c7bb09..0925a00 100644
> --- a/hw/display/cirrus_vga_rop.h
> +++ b/hw/display/cirrus_vga_rop.h
> @@ -52,8 +52,7 @@ glue(cirrus_bitblt_rop_fwd_, ROP_NAME)(CirrusVGAState *s,
>       dstpitch -= bltwidth;
>       srcpitch -= bltwidth;
>   
> -    if (dstpitch < 0 || srcpitch < 0) {
> -        /* is 0 valid? srcpitch == 0 could be useful */
> +    if (bltheight > 1 && (dstpitch < 0 || srcpitch < 0)) {
>           return;
>       }
>   

it seems you have digged into the cirrus code recently. Have you an idea how to
fix the issue with the graphics corruption for cirrus vga and recent X Server versions?

E.g. take an Ubuntu 14.04 Desktop CD, boot it into live mode and open terminal.

I have tried to debug it a little, but I have no clue how to solve this. I tried to get
hands on a real hardware Cirrus Logic Graphics card and test if this happens there as well,
but I had no chance to get one.

Peter