From: Gerd Hoffmann <kraxel@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Gerd Hoffmann" <kraxel@redhat.com>, "Radim Krčmář" <rkrcmar@redhat.com>
Subject: [Qemu-devel] [PULL 2/7] spice: fix invalid memory access to vga.vram
Date: Wed, 4 Mar 2015 15:30:44 +0100 [thread overview]
Message-ID: <1425479449-11480-3-git-send-email-kraxel@redhat.com> (raw)
In-Reply-To: <1425479449-11480-1-git-send-email-kraxel@redhat.com>
From: Radim Krčmář <rkrcmar@redhat.com>
vga_common_init() doesn't allow more than 256 MiB vram size and silently
shrinks any larger value. qxl_dirty_surfaces() used the unshrinked size
via qxl->shadow_rom.surface0_area_size when accessing the memory, which
resulted in segfault.
Add a workaround for this case and an assert if it happens again.
We have to bump the vga memory limit too, because 256 MiB wouldn't have
allowed 8k (it requires more than 128 MiB).
1024 MiB doesn't work, but 512 MiB seems fine.
Proposed-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
hw/display/qxl.c | 8 ++++++++
hw/display/vga.c | 4 ++--
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/hw/display/qxl.c b/hw/display/qxl.c
index 6e90797..92f2d50 100644
--- a/hw/display/qxl.c
+++ b/hw/display/qxl.c
@@ -370,6 +370,8 @@ static void init_qxl_rom(PCIQXLDevice *d)
num_pages -= surface0_area_size;
num_pages = num_pages / QXL_PAGE_SIZE;
+ assert(ram_header_size + surface0_area_size <= d->vga.vram_size);
+
rom->draw_area_offset = cpu_to_le32(0);
rom->surface0_area_size = cpu_to_le32(surface0_area_size);
rom->pages_offset = cpu_to_le32(surface0_area_size);
@@ -1883,6 +1885,12 @@ static void qxl_init_ramsize(PCIQXLDevice *qxl)
if (qxl->vgamem_size_mb < 8) {
qxl->vgamem_size_mb = 8;
}
+ /* XXX: we round vgamem_size_mb up to a nearest power of two and it must be
+ * less than vga_common_init()'s maximum on qxl->vga.vram_size (512 now).
+ */
+ if (qxl->vgamem_size_mb > 256) {
+ qxl->vgamem_size_mb = 256;
+ }
qxl->vgamem_size = qxl->vgamem_size_mb * 1024 * 1024;
/* vga ram (bar 0, total) */
diff --git a/hw/display/vga.c b/hw/display/vga.c
index c8c49ab..6e4ca7e 100644
--- a/hw/display/vga.c
+++ b/hw/display/vga.c
@@ -2121,10 +2121,10 @@ void vga_common_init(VGACommonState *s, Object *obj, bool global_vmstate)
expand4to8[i] = v;
}
- /* valid range: 1 MB -> 256 MB */
+ /* valid range: 1 MB -> 512 MB */
s->vram_size = 1024 * 1024;
while (s->vram_size < (s->vram_size_mb << 20) &&
- s->vram_size < (256 << 20)) {
+ s->vram_size < (512 << 20)) {
s->vram_size <<= 1;
}
s->vram_size_mb = s->vram_size >> 20;
--
1.8.3.1
next prev parent reply other threads:[~2015-03-04 14:31 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-04 14:30 [Qemu-devel] [PULL 0/7] spice patch queue Gerd Hoffmann
2015-03-04 14:30 ` [Qemu-devel] [PULL 1/7] qxl: document minimal video memory for new modes Gerd Hoffmann
2015-03-04 14:30 ` Gerd Hoffmann [this message]
2015-03-04 14:30 ` [Qemu-devel] [PULL 3/7] qxl: refactor rounding up to a nearest power of 2 Gerd Hoffmann
2015-03-05 4:57 ` Dongsheng Song
2015-03-05 15:35 ` Radim Krčmář
2015-03-05 9:52 ` Markus Armbruster
2015-03-05 10:11 ` Gerd Hoffmann
2015-03-05 15:12 ` Radim Krčmář
2015-03-04 14:30 ` [Qemu-devel] [PULL 4/7] vga: refactor vram_size clamping and rounding Gerd Hoffmann
2015-03-04 14:30 ` [Qemu-devel] [PULL 5/7] qxl: drop update_displaychangelistener call for secondary qxl devices Gerd Hoffmann
2015-03-04 14:30 ` [Qemu-devel] [PULL 6/7] hmp: info spice: Show string channel name Gerd Hoffmann
2015-03-04 14:30 ` [Qemu-devel] [PULL 7/7] hmp: info spice: take out webdav Gerd Hoffmann
2015-03-08 12:27 ` [Qemu-devel] [PULL 0/7] spice patch queue Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1425479449-11480-3-git-send-email-kraxel@redhat.com \
--to=kraxel@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=rkrcmar@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).