[Qemu-devel] [PATCH] vga: check the validation of memory addr when draw text

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: linzhecheng <linzhecheng@huawei.com>
To: qemu-devel@nongnu.org
Cc: kraxel@redhat.com, arei.gonglei@huawei.com,
	wangxinxin.wang@huawei.com, fabrice@bellard.org,
	linzhecheng <linzhecheng@huawei.com>
Subject: [Qemu-devel] [PATCH] vga: check the validation of memory addr when draw text
Date: Mon, 25 Dec 2017 10:28:35 +0800	[thread overview]
Message-ID: <20171225022835.23236-1-linzhecheng@huawei.com> (raw)

Start a vm with qemu-kvm -enable-kvm -vnc :66 -smp 1 -m 1024 -hda redhat_5.11.qcow2  -device pcnet -vga cirrus,
then use VNC client to connect to VM, and excute the code below in guest OS will lead to qemu crash:

int main()
 {
    iopl(3);
    srand(time(NULL));
    int a,b;
    while(1){
	a = rand()%0x100;
	b = 0x3c0 + (rand()%0x20);
        outb(a,b);
    }
    return 0;
}

The backtrace is:
#0  0x000055defdf28dd1 in vga_draw_text (s=0x55deffe19a80, full_update=1)
    at /mnt/sdb/lzc/code/open/qemu/hw/display/vga.c:1283
#1  0x000055defdf2a371 in vga_update_display (opaque=0x55deffe19a80)
    at /mnt/sdb/lzc/code/open/qemu/hw/display/vga.c:1766
#2  0x000055defe28098e in graphic_hw_update (con=0x55deffeeb770) at ui/console.c:263
#3  0x000055defe29360f in vnc_refresh (dcl=0x55deffc54860) at ui/vnc.c:2855
#4  0x000055defe2842fe in dpy_refresh (s=0x55deffeeb700) at ui/console.c:1595
#5  0x000055defe2806ca in gui_update (opaque=0x55deffeeb700) at ui/console.c:201
#6  0x000055defe3ca875 in timerlist_run_timers (timer_list=0x55deff420100) at util/qemu-timer.c:536
#7  0x000055defe3ca8bd in qemu_clock_run_timers (type=QEMU_CLOCK_REALTIME) at util/qemu-timer.c:547
#8  0x000055defe3cac83 in qemu_clock_run_all_timers () at util/qemu-timer.c:662
#9  0x000055defe3cb430 in main_loop_wait (nonblocking=0) at util/main-loop.c:521
#10 0x000055defe029838 in main_loop () at vl.c:1951
#11 0x000055defe031720 in main (argc=16, argv=0x7ffe5fb600e8, envp=0x7ffe5fb60170) at vl.c:4867

The above code is writing the registers of VGA randomly.
We can write VGA CRT controller registers index 0x0C or 0x0D 
(which is the start address register) to modify the 
the display memory address of the upper left pixel 
or character of the screen. The address may be out of the 
range of vga ram. So we should check the validation of memory address 
when reading or writing it to avoid segfault.

Signed-off-by: linzhecheng <linzhecheng@huawei.com>

Change-Id: Ib7466361b18e0a232fc068aad50d2113701786ab

diff --git a/hw/display/vga.c b/hw/display/vga.c
index a0412000a5..c265572bf3 100644
--- a/hw/display/vga.c
+++ b/hw/display/vga.c
@@ -1279,6 +1279,10 @@ static void vga_draw_text(VGACommonState *s, int full_update)
         cx_min = width;
         cx_max = -1;
         for(cx = 0; cx < width; cx++) {
+            if (src + sizeof(uint16_t) > s->vram_ptr + s->vram_size) {
+                printf("src is out of the range of vga ram.\n");
+                return;
+             }
             ch_attr = *(uint16_t *)src;
             if (full_update || ch_attr != *ch_attr_ptr || src == cursor_ptr) {
                 if (cx < cx_min)
-- 
2.12.2.windows.2

next             reply	other threads:[~2017-12-25  2:29 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-12-25  2:28 linzhecheng [this message]
2018-01-11 10:41 ` [Qemu-devel] [PATCH] vga: check the validation of memory addr when draw text P J P

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:a0412000a dfblob:c265572bf )
 OR (
bs:"[Qemu-devel] [PATCH] vga: check the validation of memory addr when draw text" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20171225022835.23236-1-linzhecheng@huawei.com \
    --to=linzhecheng@huawei.com \
    --cc=arei.gonglei@huawei.com \
    --cc=fabrice@bellard.org \
    --cc=kraxel@redhat.com \
    --cc=qemu-devel@nongnu.org \
    --cc=wangxinxin.wang@huawei.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).