From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:57009)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <kraxel@redhat.com>) id 1YTAKB-0008Aw-FE
	for qemu-devel@nongnu.org; Wed, 04 Mar 2015 09:31:05 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <kraxel@redhat.com>) id 1YTAK6-0004BJ-Ot
	for qemu-devel@nongnu.org; Wed, 04 Mar 2015 09:30:59 -0500
Received: from mx1.redhat.com ([209.132.183.28]:39725)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <kraxel@redhat.com>) id 1YTAK6-00049P-FN
	for qemu-devel@nongnu.org; Wed, 04 Mar 2015 09:30:54 -0500
Received: from int-mx14.intmail.prod.int.phx2.redhat.com
	(int-mx14.intmail.prod.int.phx2.redhat.com [10.5.11.27])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id t24EUqCv016103
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256
	verify=FAIL)
	for <qemu-devel@nongnu.org>; Wed, 4 Mar 2015 09:30:53 -0500
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Wed,  4 Mar 2015 15:30:44 +0100
Message-Id: <1425479449-11480-3-git-send-email-kraxel@redhat.com>
In-Reply-To: <1425479449-11480-1-git-send-email-kraxel@redhat.com>
References: <1425479449-11480-1-git-send-email-kraxel@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Subject: [Qemu-devel] [PULL 2/7] spice: fix invalid memory access to vga.vram
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org
Cc: Gerd Hoffmann <kraxel@redhat.com>, =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com>

From: Radim Kr=C4=8Dm=C3=A1=C5=99 <rkrcmar@redhat.com>

vga_common_init() doesn't allow more than 256 MiB vram size and silently
shrinks any larger value.  qxl_dirty_surfaces() used the unshrinked size
via qxl->shadow_rom.surface0_area_size when accessing the memory, which
resulted in segfault.

Add a workaround for this case and an assert if it happens again.

We have to bump the vga memory limit too, because 256 MiB wouldn't have
allowed 8k (it requires more than 128 MiB).
1024 MiB doesn't work, but 512 MiB seems fine.

Proposed-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Radim Kr=C4=8Dm=C3=A1=C5=99 <rkrcmar@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 hw/display/qxl.c | 8 ++++++++
 hw/display/vga.c | 4 ++--
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/hw/display/qxl.c b/hw/display/qxl.c
index 6e90797..92f2d50 100644
--- a/hw/display/qxl.c
+++ b/hw/display/qxl.c
@@ -370,6 +370,8 @@ static void init_qxl_rom(PCIQXLDevice *d)
     num_pages         -=3D surface0_area_size;
     num_pages          =3D num_pages / QXL_PAGE_SIZE;
=20
+    assert(ram_header_size + surface0_area_size <=3D d->vga.vram_size);
+
     rom->draw_area_offset   =3D cpu_to_le32(0);
     rom->surface0_area_size =3D cpu_to_le32(surface0_area_size);
     rom->pages_offset       =3D cpu_to_le32(surface0_area_size);
@@ -1883,6 +1885,12 @@ static void qxl_init_ramsize(PCIQXLDevice *qxl)
     if (qxl->vgamem_size_mb < 8) {
         qxl->vgamem_size_mb =3D 8;
     }
+    /* XXX: we round vgamem_size_mb up to a nearest power of two and it =
must be
+     * less than vga_common_init()'s maximum on qxl->vga.vram_size (512 =
now).
+     */
+    if (qxl->vgamem_size_mb > 256) {
+        qxl->vgamem_size_mb =3D 256;
+    }
     qxl->vgamem_size =3D qxl->vgamem_size_mb * 1024 * 1024;
=20
     /* vga ram (bar 0, total) */
diff --git a/hw/display/vga.c b/hw/display/vga.c
index c8c49ab..6e4ca7e 100644
--- a/hw/display/vga.c
+++ b/hw/display/vga.c
@@ -2121,10 +2121,10 @@ void vga_common_init(VGACommonState *s, Object *o=
bj, bool global_vmstate)
         expand4to8[i] =3D v;
     }
=20
-    /* valid range: 1 MB -> 256 MB */
+    /* valid range: 1 MB -> 512 MB */
     s->vram_size =3D 1024 * 1024;
     while (s->vram_size < (s->vram_size_mb << 20) &&
-           s->vram_size < (256 << 20)) {
+           s->vram_size < (512 << 20)) {
         s->vram_size <<=3D 1;
     }
     s->vram_size_mb =3D s->vram_size >> 20;
--=20
1.8.3.1