From: "Radim Krčmář" <rkrcmar@redhat.com>
To: qemu-devel@nongnu.org
Cc: Gerd Hoffmann <kraxel@redhat.com>
Subject: [Qemu-devel] [PATCH v2 2/4] spice: fix invalid memory access to vga.vram
Date: Tue, 17 Feb 2015 17:30:51 +0100 [thread overview]
Message-ID: <1424190653-29139-3-git-send-email-rkrcmar@redhat.com> (raw)
In-Reply-To: <1424190653-29139-1-git-send-email-rkrcmar@redhat.com>
vga_common_init() doesn't allow more than 256 MiB vram size and silently
shrinks any larger value. qxl_dirty_surfaces() used the unshrinked size
via qxl->shadow_rom.surface0_area_size when accessing the memory, which
resulted in segfault.
Add a workaround for this case and an assert if it happens again.
We have to bump the vga memory limit too, because 256 MiB wouldn't have
allowed 8k (it requires more than 128 MiB).
1024 MiB doesn't work, but 512 MiB seems fine.
Proposed-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
---
v2: changed numbers in Gerd's solution, added an assert and a comment
(was [v1 2/2])
hw/display/qxl.c | 8 ++++++++
hw/display/vga.c | 4 ++--
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/hw/display/qxl.c b/hw/display/qxl.c
index 6e9079783e27..92f2d5025d70 100644
--- a/hw/display/qxl.c
+++ b/hw/display/qxl.c
@@ -370,6 +370,8 @@ static void init_qxl_rom(PCIQXLDevice *d)
num_pages -= surface0_area_size;
num_pages = num_pages / QXL_PAGE_SIZE;
+ assert(ram_header_size + surface0_area_size <= d->vga.vram_size);
+
rom->draw_area_offset = cpu_to_le32(0);
rom->surface0_area_size = cpu_to_le32(surface0_area_size);
rom->pages_offset = cpu_to_le32(surface0_area_size);
@@ -1883,6 +1885,12 @@ static void qxl_init_ramsize(PCIQXLDevice *qxl)
if (qxl->vgamem_size_mb < 8) {
qxl->vgamem_size_mb = 8;
}
+ /* XXX: we round vgamem_size_mb up to a nearest power of two and it must be
+ * less than vga_common_init()'s maximum on qxl->vga.vram_size (512 now).
+ */
+ if (qxl->vgamem_size_mb > 256) {
+ qxl->vgamem_size_mb = 256;
+ }
qxl->vgamem_size = qxl->vgamem_size_mb * 1024 * 1024;
/* vga ram (bar 0, total) */
diff --git a/hw/display/vga.c b/hw/display/vga.c
index 9c62fbf48823..13f34f950d5a 100644
--- a/hw/display/vga.c
+++ b/hw/display/vga.c
@@ -2122,10 +2122,10 @@ void vga_common_init(VGACommonState *s, Object *obj, bool global_vmstate)
expand4to8[i] = v;
}
- /* valid range: 1 MB -> 256 MB */
+ /* valid range: 1 MB -> 512 MB */
s->vram_size = 1024 * 1024;
while (s->vram_size < (s->vram_size_mb << 20) &&
- s->vram_size < (256 << 20)) {
+ s->vram_size < (512 << 20)) {
s->vram_size <<= 1;
}
s->vram_size_mb = s->vram_size >> 20;
--
2.3.0
next prev parent reply other threads:[~2015-02-17 16:31 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-02-17 16:30 [Qemu-devel] [PATCH v2 0/4] spice: minor improvements Radim Krčmář
2015-02-17 16:30 ` [Qemu-devel] [PATCH v2 1/4] qxl: document minimal video memory for new modes Radim Krčmář
2015-02-17 16:30 ` Radim Krčmář [this message]
2015-02-17 16:30 ` [Qemu-devel] [PATCH v2 3/4] qxl: refactor rounding up to a nearest power of 2 Radim Krčmář
2015-02-17 16:30 ` [Qemu-devel] [PATCH v2 4/4] vga: refactor vram_size clamping and rounding Radim Krčmář
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1424190653-29139-3-git-send-email-rkrcmar@redhat.com \
--to=rkrcmar@redhat.com \
--cc=kraxel@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).