* [Qemu-devel] [PULL 0/4] Vga 20171017 patches
@ 2017-10-17 8:24 Gerd Hoffmann
2017-10-17 8:24 ` [Qemu-devel] [PULL 1/4] vga: drop line_offset variable Gerd Hoffmann
` (4 more replies)
0 siblings, 5 replies; 6+ messages in thread
From: Gerd Hoffmann @ 2017-10-17 8:24 UTC (permalink / raw)
To: qemu-devel; +Cc: Gerd Hoffmann
The following changes since commit c5bbcaa4b7c0f8a322bebe9ec563560178a68b55:
Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging (2017-10-16 17:29:16 +0100)
are available in the git repository at:
git://git.kraxel.org/qemu tags/vga-20171017-pull-request
for you to fetch changes up to eb38e1bc3740725ca29a535351de94107ec58d51:
cirrus: fix oob access in mode4and5 write functions (2017-10-17 09:59:00 +0200)
----------------------------------------------------------------
cirrus: bugfixes, with some vga cleanups.
----------------------------------------------------------------
Gerd Hoffmann (4):
vga: drop line_offset variable
vga: handle cirrus vbe mode wraparounds.
vga: add ram_addr_t cast
cirrus: fix oob access in mode4and5 write functions
hw/display/cirrus_vga.c | 6 ++----
hw/display/vga.c | 33 +++++++++++++++++++++++----------
2 files changed, 25 insertions(+), 14 deletions(-)
--
2.9.3
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Qemu-devel] [PULL 1/4] vga: drop line_offset variable
2017-10-17 8:24 [Qemu-devel] [PULL 0/4] Vga 20171017 patches Gerd Hoffmann
@ 2017-10-17 8:24 ` Gerd Hoffmann
2017-10-17 8:25 ` [Qemu-devel] [PULL 2/4] vga: handle cirrus vbe mode wraparounds Gerd Hoffmann
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Gerd Hoffmann @ 2017-10-17 8:24 UTC (permalink / raw)
To: qemu-devel; +Cc: Gerd Hoffmann
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
hw/display/vga.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/hw/display/vga.c b/hw/display/vga.c
index ed24ef7076..bf774e3402 100644
--- a/hw/display/vga.c
+++ b/hw/display/vga.c
@@ -1464,7 +1464,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
{
DisplaySurface *surface = qemu_console_surface(s->con);
int y1, y, update, linesize, y_start, double_scan, mask, depth;
- int width, height, shift_control, line_offset, bwidth, bits;
+ int width, height, shift_control, bwidth, bits;
ram_addr_t page0, page1;
DirtyBitmapSnapshot *snap = NULL;
int disp_width, multi_scan, multi_run;
@@ -1614,7 +1614,6 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
s->cursor_invalidate(s);
}
- line_offset = s->line_offset;
#if 0
printf("w=%d h=%d v=%d line_offset=%d cr[0x09]=0x%02x cr[0x17]=0x%02x linecmp=%d sr[0x01]=0x%02x\n",
width, height, v, line_offset, s->cr[9], s->cr[VGA_CRTC_MODE],
@@ -1629,7 +1628,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
if (!full_update) {
ram_addr_t region_start = addr1;
- ram_addr_t region_end = addr1 + line_offset * height;
+ ram_addr_t region_end = addr1 + s->line_offset * height;
vga_sync_dirty_bitmap(s);
if (s->line_compare < height) {
/* split screen mode */
@@ -1681,7 +1680,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
if (!multi_run) {
mask = (s->cr[VGA_CRTC_MODE] & 3) ^ 3;
if ((y1 & mask) == mask)
- addr1 += line_offset;
+ addr1 += s->line_offset;
y1++;
multi_run = multi_scan;
} else {
--
2.9.3
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [Qemu-devel] [PULL 2/4] vga: handle cirrus vbe mode wraparounds.
2017-10-17 8:24 [Qemu-devel] [PULL 0/4] Vga 20171017 patches Gerd Hoffmann
2017-10-17 8:24 ` [Qemu-devel] [PULL 1/4] vga: drop line_offset variable Gerd Hoffmann
@ 2017-10-17 8:25 ` Gerd Hoffmann
2017-10-17 8:25 ` [Qemu-devel] [PULL 3/4] vga: add ram_addr_t cast Gerd Hoffmann
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Gerd Hoffmann @ 2017-10-17 8:25 UTC (permalink / raw)
To: qemu-devel; +Cc: Gerd Hoffmann, P J P
Commit "3d90c62548 vga: stop passing pointers to vga_draw_line*
functions" is incomplete. It doesn't handle the case that the vga
rendering code tries to create a shared surface, i.e. a pixman image
backed by vga video memory. That can not work in case the guest display
wraps from end of video memory to the start. So force shadowing in that
case. Also adjust the snapshot region calculation.
Can trigger with cirrus only, when programming vbe modes using the bochs
api (stdvga, also qxl and virtio-vga in vga compat mode) wrap arounds
can't happen.
Fixes: CVE-2017-13672
Fixes: 3d90c6254863693a6b13d918d2b8682e08bbc681
Cc: P J P <ppandit@redhat.com>
Reported-by: David Buchanan <d@vidbuchanan.co.uk>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 20171010141323.14049-3-kraxel@redhat.com
---
hw/display/vga.c | 28 +++++++++++++++++++++-------
1 file changed, 21 insertions(+), 7 deletions(-)
diff --git a/hw/display/vga.c b/hw/display/vga.c
index bf774e3402..1afceb6f16 100644
--- a/hw/display/vga.c
+++ b/hw/display/vga.c
@@ -1465,13 +1465,13 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
DisplaySurface *surface = qemu_console_surface(s->con);
int y1, y, update, linesize, y_start, double_scan, mask, depth;
int width, height, shift_control, bwidth, bits;
- ram_addr_t page0, page1;
+ ram_addr_t page0, page1, region_start, region_end;
DirtyBitmapSnapshot *snap = NULL;
int disp_width, multi_scan, multi_run;
uint8_t *d;
uint32_t v, addr1, addr;
vga_draw_line_func *vga_draw_line = NULL;
- bool share_surface;
+ bool share_surface, force_shadow = false;
pixman_format_code_t format;
#ifdef HOST_WORDS_BIGENDIAN
bool byteswap = !s->big_endian_fb;
@@ -1484,6 +1484,15 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
s->get_resolution(s, &width, &height);
disp_width = width;
+ region_start = (s->start_addr * 4);
+ region_end = region_start + s->line_offset * height;
+ if (region_end > s->vbe_size) {
+ /* wraps around (can happen with cirrus vbe modes) */
+ region_start = 0;
+ region_end = s->vbe_size;
+ force_shadow = true;
+ }
+
shift_control = (s->gr[VGA_GFX_MODE] >> 5) & 3;
double_scan = (s->cr[VGA_CRTC_MAX_SCAN] >> 7);
if (shift_control != 1) {
@@ -1523,7 +1532,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
format = qemu_default_pixman_format(depth, !byteswap);
if (format) {
share_surface = dpy_gfx_check_format(s->con, format)
- && !s->force_shadow;
+ && !s->force_shadow && !force_shadow;
} else {
share_surface = false;
}
@@ -1627,8 +1636,6 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
y1 = 0;
if (!full_update) {
- ram_addr_t region_start = addr1;
- ram_addr_t region_end = addr1 + s->line_offset * height;
vga_sync_dirty_bitmap(s);
if (s->line_compare < height) {
/* split screen mode */
@@ -1651,10 +1658,17 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
addr = (addr & ~0x8000) | ((y1 & 2) << 14);
}
update = full_update;
- page0 = addr;
- page1 = addr + bwidth - 1;
+ page0 = addr & s->vbe_size_mask;
+ page1 = (addr + bwidth - 1) & s->vbe_size_mask;
if (full_update) {
update = 1;
+ } else if (page1 < page0) {
+ /* scanline wraps from end of video memory to the start */
+ assert(force_shadow);
+ update = memory_region_snapshot_get_dirty(&s->vram, snap,
+ page0, 0);
+ update |= memory_region_snapshot_get_dirty(&s->vram, snap,
+ page1, 0);
} else {
update = memory_region_snapshot_get_dirty(&s->vram, snap,
page0, page1 - page0);
--
2.9.3
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [Qemu-devel] [PULL 3/4] vga: add ram_addr_t cast
2017-10-17 8:24 [Qemu-devel] [PULL 0/4] Vga 20171017 patches Gerd Hoffmann
2017-10-17 8:24 ` [Qemu-devel] [PULL 1/4] vga: drop line_offset variable Gerd Hoffmann
2017-10-17 8:25 ` [Qemu-devel] [PULL 2/4] vga: handle cirrus vbe mode wraparounds Gerd Hoffmann
@ 2017-10-17 8:25 ` Gerd Hoffmann
2017-10-17 8:25 ` [Qemu-devel] [PULL 4/4] cirrus: fix oob access in mode4and5 write functions Gerd Hoffmann
2017-10-19 11:09 ` [Qemu-devel] [PULL 0/4] Vga 20171017 patches Peter Maydell
4 siblings, 0 replies; 6+ messages in thread
From: Gerd Hoffmann @ 2017-10-17 8:25 UTC (permalink / raw)
To: qemu-devel; +Cc: Gerd Hoffmann
Reported by Coverity.
Fixes: CID 1381409
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 20171010141323.14049-4-kraxel@redhat.com
---
hw/display/vga.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/display/vga.c b/hw/display/vga.c
index 1afceb6f16..1d19f6bc48 100644
--- a/hw/display/vga.c
+++ b/hw/display/vga.c
@@ -1485,7 +1485,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
disp_width = width;
region_start = (s->start_addr * 4);
- region_end = region_start + s->line_offset * height;
+ region_end = region_start + (ram_addr_t)s->line_offset * height;
if (region_end > s->vbe_size) {
/* wraps around (can happen with cirrus vbe modes) */
region_start = 0;
--
2.9.3
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [Qemu-devel] [PULL 4/4] cirrus: fix oob access in mode4and5 write functions
2017-10-17 8:24 [Qemu-devel] [PULL 0/4] Vga 20171017 patches Gerd Hoffmann
` (2 preceding siblings ...)
2017-10-17 8:25 ` [Qemu-devel] [PULL 3/4] vga: add ram_addr_t cast Gerd Hoffmann
@ 2017-10-17 8:25 ` Gerd Hoffmann
2017-10-19 11:09 ` [Qemu-devel] [PULL 0/4] Vga 20171017 patches Peter Maydell
4 siblings, 0 replies; 6+ messages in thread
From: Gerd Hoffmann @ 2017-10-17 8:25 UTC (permalink / raw)
To: qemu-devel; +Cc: Gerd Hoffmann, Prasad J Pandit
Move dst calculation into the loop, so we apply the mask on each
interation and will not overflow vga memory.
Cc: Prasad J Pandit <pjp@fedoraproject.org>
Reported-by: Niu Guoxiang <niuguoxiang@huawei.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 20171011084314.21752-1-kraxel@redhat.com
---
hw/display/cirrus_vga.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
index b4d579857a..bc32bf1e39 100644
--- a/hw/display/cirrus_vga.c
+++ b/hw/display/cirrus_vga.c
@@ -2038,15 +2038,14 @@ static void cirrus_mem_writeb_mode4and5_8bpp(CirrusVGAState * s,
unsigned val = mem_value;
uint8_t *dst;
- dst = s->vga.vram_ptr + (offset &= s->cirrus_addr_mask);
for (x = 0; x < 8; x++) {
+ dst = s->vga.vram_ptr + ((offset + x) & s->cirrus_addr_mask);
if (val & 0x80) {
*dst = s->cirrus_shadow_gr1;
} else if (mode == 5) {
*dst = s->cirrus_shadow_gr0;
}
val <<= 1;
- dst++;
}
memory_region_set_dirty(&s->vga.vram, offset, 8);
}
@@ -2060,8 +2059,8 @@ static void cirrus_mem_writeb_mode4and5_16bpp(CirrusVGAState * s,
unsigned val = mem_value;
uint8_t *dst;
- dst = s->vga.vram_ptr + (offset &= s->cirrus_addr_mask);
for (x = 0; x < 8; x++) {
+ dst = s->vga.vram_ptr + ((offset + 2 * x) & s->cirrus_addr_mask & ~1);
if (val & 0x80) {
*dst = s->cirrus_shadow_gr1;
*(dst + 1) = s->vga.gr[0x11];
@@ -2070,7 +2069,6 @@ static void cirrus_mem_writeb_mode4and5_16bpp(CirrusVGAState * s,
*(dst + 1) = s->vga.gr[0x10];
}
val <<= 1;
- dst += 2;
}
memory_region_set_dirty(&s->vga.vram, offset, 16);
}
--
2.9.3
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [Qemu-devel] [PULL 0/4] Vga 20171017 patches
2017-10-17 8:24 [Qemu-devel] [PULL 0/4] Vga 20171017 patches Gerd Hoffmann
` (3 preceding siblings ...)
2017-10-17 8:25 ` [Qemu-devel] [PULL 4/4] cirrus: fix oob access in mode4and5 write functions Gerd Hoffmann
@ 2017-10-19 11:09 ` Peter Maydell
4 siblings, 0 replies; 6+ messages in thread
From: Peter Maydell @ 2017-10-19 11:09 UTC (permalink / raw)
To: Gerd Hoffmann; +Cc: QEMU Developers
On 17 October 2017 at 09:24, Gerd Hoffmann <kraxel@redhat.com> wrote:
> The following changes since commit c5bbcaa4b7c0f8a322bebe9ec563560178a68b55:
>
> Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging (2017-10-16 17:29:16 +0100)
>
> are available in the git repository at:
>
> git://git.kraxel.org/qemu tags/vga-20171017-pull-request
>
> for you to fetch changes up to eb38e1bc3740725ca29a535351de94107ec58d51:
>
> cirrus: fix oob access in mode4and5 write functions (2017-10-17 09:59:00 +0200)
>
> ----------------------------------------------------------------
> cirrus: bugfixes, with some vga cleanups.
>
> ----------------------------------------------------------------
>
> Gerd Hoffmann (4):
> vga: drop line_offset variable
> vga: handle cirrus vbe mode wraparounds.
> vga: add ram_addr_t cast
> cirrus: fix oob access in mode4and5 write functions
>
Applied, thanks.
-- PMM
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2017-10-19 11:10 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-10-17 8:24 [Qemu-devel] [PULL 0/4] Vga 20171017 patches Gerd Hoffmann
2017-10-17 8:24 ` [Qemu-devel] [PULL 1/4] vga: drop line_offset variable Gerd Hoffmann
2017-10-17 8:25 ` [Qemu-devel] [PULL 2/4] vga: handle cirrus vbe mode wraparounds Gerd Hoffmann
2017-10-17 8:25 ` [Qemu-devel] [PULL 3/4] vga: add ram_addr_t cast Gerd Hoffmann
2017-10-17 8:25 ` [Qemu-devel] [PULL 4/4] cirrus: fix oob access in mode4and5 write functions Gerd Hoffmann
2017-10-19 11:09 ` [Qemu-devel] [PULL 0/4] Vga 20171017 patches Peter Maydell
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).