From: Peter Maydell <peter.maydell@linaro.org>
To: qemu-devel@nongnu.org
Subject: [Qemu-devel] [PULL 50/52] hw/display/bcm2835_fb: Validate config settings
Date: Fri, 24 Aug 2018 10:33:41 +0100 [thread overview]
Message-ID: <20180824093343.11346-51-peter.maydell@linaro.org> (raw)
In-Reply-To: <20180824093343.11346-1-peter.maydell@linaro.org>
Validate the config settings that the guest tries to set.
The wiki page documentation is not really accurate here:
generally rather than failing requests to set bad parameters,
the hardware will just clip them to something sensible.
Validate the most important parameters: sizes and
the viewport offsets. This prevents the framebuffer
code from trying to read out-of-range memory.
In the property handling code, we validate the new parameters every
time we encounter a tag that sets them. This means we validate the
config multiple times if the request includes multiple config-setting
tags, but the code would require significant restructuring to do a
validation only once but still return the clipped settings for
get-parameter tags and the buffer allocation tag.
Validation of settings made via the older bcm2835_fb_mbox_push()
function will be done in the next commit.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180814144436.679-8-peter.maydell@linaro.org
---
include/hw/display/bcm2835_fb.h | 8 +++++
hw/display/bcm2835_fb.c | 48 +++++++++++++++++++++++++++--
hw/misc/bcm2835_property.c | 54 ++++++++++++++++-----------------
3 files changed, 81 insertions(+), 29 deletions(-)
diff --git a/include/hw/display/bcm2835_fb.h b/include/hw/display/bcm2835_fb.h
index d992c60c120..228988ba056 100644
--- a/include/hw/display/bcm2835_fb.h
+++ b/include/hw/display/bcm2835_fb.h
@@ -76,4 +76,12 @@ static inline uint32_t bcm2835_fb_get_size(BCM2835FBConfig *config)
return yres * bcm2835_fb_get_pitch(config);
}
+/**
+ * bcm2835_fb_validate_config: check provided config
+ *
+ * Validates the configuration information provided by the guest and
+ * adjusts it if necessary.
+ */
+void bcm2835_fb_validate_config(BCM2835FBConfig *config);
+
#endif
diff --git a/hw/display/bcm2835_fb.c b/hw/display/bcm2835_fb.c
index 76a10072b46..3edb8b5cfcb 100644
--- a/hw/display/bcm2835_fb.c
+++ b/hw/display/bcm2835_fb.c
@@ -34,6 +34,13 @@
#define DEFAULT_VCRAM_SIZE 0x4000000
#define BCM2835_FB_OFFSET 0x00100000
+/* Maximum permitted framebuffer size; experimentally determined on an rpi2 */
+#define XRES_MAX 3840
+#define YRES_MAX 2560
+/* Framebuffer size used if guest requests zero size */
+#define XRES_SMALL 592
+#define YRES_SMALL 488
+
static void fb_invalidate_display(void *opaque)
{
BCM2835FBState *s = BCM2835_FB(opaque);
@@ -202,6 +209,45 @@ static void fb_update_display(void *opaque)
s->invalidate = false;
}
+void bcm2835_fb_validate_config(BCM2835FBConfig *config)
+{
+ /*
+ * Validate the config, and clip any bogus values into range,
+ * as the hardware does. Note that fb_update_display() relies on
+ * this happening to prevent it from performing out-of-range
+ * accesses on redraw.
+ */
+ config->xres = MIN(config->xres, XRES_MAX);
+ config->xres_virtual = MIN(config->xres_virtual, XRES_MAX);
+ config->yres = MIN(config->yres, YRES_MAX);
+ config->yres_virtual = MIN(config->yres_virtual, YRES_MAX);
+
+ /*
+ * These are not minima: a 40x40 framebuffer will be accepted.
+ * They're only used as defaults if the guest asks for zero size.
+ */
+ if (config->xres == 0) {
+ config->xres = XRES_SMALL;
+ }
+ if (config->yres == 0) {
+ config->yres = YRES_SMALL;
+ }
+ if (config->xres_virtual == 0) {
+ config->xres_virtual = config->xres;
+ }
+ if (config->yres_virtual == 0) {
+ config->yres_virtual = config->yres;
+ }
+
+ if (fb_use_offsets(config)) {
+ /* Clip the offsets so the viewport is within the physical screen */
+ config->xoffset = MIN(config->xoffset,
+ config->xres_virtual - config->xres);
+ config->yoffset = MIN(config->yoffset,
+ config->yres_virtual - config->yres);
+ }
+}
+
static void bcm2835_fb_mbox_push(BCM2835FBState *s, uint32_t value)
{
uint32_t pitch;
@@ -238,8 +284,6 @@ void bcm2835_fb_reconfigure(BCM2835FBState *s, BCM2835FBConfig *newconfig)
{
s->lock = true;
- /* TODO: input validation! */
-
s->config = *newconfig;
s->invalidate = true;
diff --git a/hw/misc/bcm2835_property.c b/hw/misc/bcm2835_property.c
index e3ab677891b..145427ae0f8 100644
--- a/hw/misc/bcm2835_property.c
+++ b/hw/misc/bcm2835_property.c
@@ -155,16 +155,6 @@ static void bcm2835_property_mbox_push(BCM2835PropertyState *s, uint32_t value)
case 0x00040002: /* Blank screen */
resplen = 4;
break;
- case 0x00040003: /* Get physical display width/height */
- stl_le_phys(&s->dma_as, value + 12, fbconfig.xres);
- stl_le_phys(&s->dma_as, value + 16, fbconfig.yres);
- resplen = 8;
- break;
- case 0x00040004: /* Get virtual display width/height */
- stl_le_phys(&s->dma_as, value + 12, fbconfig.xres_virtual);
- stl_le_phys(&s->dma_as, value + 16, fbconfig.yres_virtual);
- resplen = 8;
- break;
case 0x00044003: /* Test physical display width/height */
case 0x00044004: /* Test virtual display width/height */
resplen = 8;
@@ -172,29 +162,35 @@ static void bcm2835_property_mbox_push(BCM2835PropertyState *s, uint32_t value)
case 0x00048003: /* Set physical display width/height */
fbconfig.xres = ldl_le_phys(&s->dma_as, value + 12);
fbconfig.yres = ldl_le_phys(&s->dma_as, value + 16);
+ bcm2835_fb_validate_config(&fbconfig);
fbconfig_updated = true;
+ /* fall through */
+ case 0x00040003: /* Get physical display width/height */
+ stl_le_phys(&s->dma_as, value + 12, fbconfig.xres);
+ stl_le_phys(&s->dma_as, value + 16, fbconfig.yres);
resplen = 8;
break;
case 0x00048004: /* Set virtual display width/height */
fbconfig.xres_virtual = ldl_le_phys(&s->dma_as, value + 12);
fbconfig.yres_virtual = ldl_le_phys(&s->dma_as, value + 16);
+ bcm2835_fb_validate_config(&fbconfig);
fbconfig_updated = true;
+ /* fall through */
+ case 0x00040004: /* Get virtual display width/height */
+ stl_le_phys(&s->dma_as, value + 12, fbconfig.xres_virtual);
+ stl_le_phys(&s->dma_as, value + 16, fbconfig.yres_virtual);
resplen = 8;
break;
- case 0x00040005: /* Get depth */
- stl_le_phys(&s->dma_as, value + 12, fbconfig.bpp);
- resplen = 4;
- break;
case 0x00044005: /* Test depth */
resplen = 4;
break;
case 0x00048005: /* Set depth */
fbconfig.bpp = ldl_le_phys(&s->dma_as, value + 12);
+ bcm2835_fb_validate_config(&fbconfig);
fbconfig_updated = true;
- resplen = 4;
- break;
- case 0x00040006: /* Get pixel order */
- stl_le_phys(&s->dma_as, value + 12, fbconfig.pixo);
+ /* fall through */
+ case 0x00040005: /* Get depth */
+ stl_le_phys(&s->dma_as, value + 12, fbconfig.bpp);
resplen = 4;
break;
case 0x00044006: /* Test pixel order */
@@ -202,11 +198,11 @@ static void bcm2835_property_mbox_push(BCM2835PropertyState *s, uint32_t value)
break;
case 0x00048006: /* Set pixel order */
fbconfig.pixo = ldl_le_phys(&s->dma_as, value + 12);
+ bcm2835_fb_validate_config(&fbconfig);
fbconfig_updated = true;
- resplen = 4;
- break;
- case 0x00040007: /* Get alpha */
- stl_le_phys(&s->dma_as, value + 12, fbconfig.alpha);
+ /* fall through */
+ case 0x00040006: /* Get pixel order */
+ stl_le_phys(&s->dma_as, value + 12, fbconfig.pixo);
resplen = 4;
break;
case 0x00044007: /* Test pixel alpha */
@@ -214,7 +210,11 @@ static void bcm2835_property_mbox_push(BCM2835PropertyState *s, uint32_t value)
break;
case 0x00048007: /* Set alpha */
fbconfig.alpha = ldl_le_phys(&s->dma_as, value + 12);
+ bcm2835_fb_validate_config(&fbconfig);
fbconfig_updated = true;
+ /* fall through */
+ case 0x00040007: /* Get alpha */
+ stl_le_phys(&s->dma_as, value + 12, fbconfig.alpha);
resplen = 4;
break;
case 0x00040008: /* Get pitch */
@@ -222,18 +222,18 @@ static void bcm2835_property_mbox_push(BCM2835PropertyState *s, uint32_t value)
bcm2835_fb_get_pitch(&fbconfig));
resplen = 4;
break;
- case 0x00040009: /* Get virtual offset */
- stl_le_phys(&s->dma_as, value + 12, fbconfig.xoffset);
- stl_le_phys(&s->dma_as, value + 16, fbconfig.yoffset);
- resplen = 8;
- break;
case 0x00044009: /* Test virtual offset */
resplen = 8;
break;
case 0x00048009: /* Set virtual offset */
fbconfig.xoffset = ldl_le_phys(&s->dma_as, value + 12);
fbconfig.yoffset = ldl_le_phys(&s->dma_as, value + 16);
+ bcm2835_fb_validate_config(&fbconfig);
fbconfig_updated = true;
+ /* fall through */
+ case 0x00040009: /* Get virtual offset */
+ stl_le_phys(&s->dma_as, value + 12, fbconfig.xoffset);
+ stl_le_phys(&s->dma_as, value + 16, fbconfig.yoffset);
resplen = 8;
break;
case 0x0004000a: /* Get/Test/Set overscan */
--
2.18.0
next prev parent reply other threads:[~2018-08-24 9:34 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-24 9:32 [Qemu-devel] [PULL 00/52] target-arm queue Peter Maydell
2018-08-24 9:32 ` [Qemu-devel] [PULL 01/52] softfloat: Add scaling int-to-float routines Peter Maydell
2018-08-24 9:32 ` [Qemu-devel] [PULL 02/52] softfloat: Add scaling float-to-int routines Peter Maydell
2018-08-24 9:32 ` [Qemu-devel] [PULL 03/52] target/arm: Use the int-to-float-scale softfloat routines Peter Maydell
2018-08-24 9:32 ` [Qemu-devel] [PULL 04/52] target/arm: Use the float-to-int-scale " Peter Maydell
2018-08-24 9:32 ` [Qemu-devel] [PULL 05/52] hw/intc/arm_gic: Make per-cpu GICH memory regions 0x200 bytes large Peter Maydell
2018-08-24 9:32 ` [Qemu-devel] [PULL 06/52] hw/arm/vexpress: Connect VIRQ and VFIQ Peter Maydell
2018-08-24 9:32 ` [Qemu-devel] [PULL 07/52] hw/arm/highbank: " Peter Maydell
2018-08-24 9:32 ` [Qemu-devel] [PULL 08/52] hw/arm/fsl-imx6ul: " Peter Maydell
2018-08-24 9:33 ` [Qemu-devel] [PULL 09/52] " Peter Maydell
2018-08-24 9:33 ` [Qemu-devel] [PULL 10/52] hw/cpu/a15mpcore: If CPU has EL2, enable it on the GIC and wire it up Peter Maydell
2018-08-24 9:33 ` [Qemu-devel] [PULL 11/52] hw/arm/vexpress: Don't set info->secure_boot if CPU doesn't have EL3 Peter Maydell
2018-08-24 9:33 ` [Qemu-devel] [PULL 12/52] hw/arm/vexpress: Add "virtualization" property controlling presence of EL2 Peter Maydell
2018-08-24 9:33 ` [Qemu-devel] [PULL 13/52] target/arm: Implement RAZ/WI HACTLR2 Peter Maydell
2018-08-24 9:33 ` [Qemu-devel] [PULL 14/52] target/arm: Implement AArch32 HCR and HCR2 Peter Maydell
2018-08-24 9:33 ` [Qemu-devel] [PULL 15/52] target/arm: Factor out code for taking an AArch32 exception Peter Maydell
2018-08-24 9:33 ` [Qemu-devel] [PULL 16/52] target/arm: Implement support for taking exceptions to Hyp mode Peter Maydell
2018-08-24 9:33 ` [Qemu-devel] [PULL 17/52] target/arm: Clear CPSR.IL and CPSR.J on 32-bit exception entry Peter Maydell
2018-08-24 9:33 ` [Qemu-devel] [PULL 18/52] hw/arm/boot: AArch32 kernels should be started in Hyp mode if available Peter Maydell
2018-08-24 9:33 ` [Qemu-devel] [PULL 19/52] hw/misc/mps2-fpgaio: Implement 1Hz and 100Hz counters Peter Maydell
2018-08-24 9:33 ` [Qemu-devel] [PULL 20/52] hw/misc/mps2-fpgaio: Implement PSCNTR and COUNTER Peter Maydell
2018-08-24 9:33 ` [Qemu-devel] [PULL 21/52] hw/timer/cmsdk-apb-dualtimer: Implement CMSDK dual timer module Peter Maydell
2018-09-09 20:34 ` Paolo Bonzini
2018-08-24 9:33 ` [Qemu-devel] [PULL 22/52] hw/arm/iotkit: Wire up the dualtimer Peter Maydell
2018-08-24 9:33 ` [Qemu-devel] [PULL 23/52] hw/arm/mps2: Wire up dual-timer in mps2-an385 and mps2-an511 Peter Maydell
2018-08-24 9:33 ` [Qemu-devel] [PULL 24/52] hw/arm/iotkit: Wire up the watchdogs Peter Maydell
2018-08-24 9:33 ` [Qemu-devel] [PULL 25/52] hw/arm/iotkit: Wire up the S32KTIMER Peter Maydell
2018-08-24 9:33 ` [Qemu-devel] [PULL 26/52] hw/misc/iotkit-sysctl: Implement IoTKit system control element Peter Maydell
2018-08-24 9:33 ` [Qemu-devel] [PULL 27/52] hw/misc/iotkit-sysinfo: Implement IoTKit system information block Peter Maydell
2018-08-24 9:33 ` [Qemu-devel] [PULL 28/52] hw/misc/iotkit: Wire up the sysctl and sysinfo register blocks Peter Maydell
2018-08-24 9:33 ` [Qemu-devel] [PULL 29/52] hw/misc/tz-msc: Model TrustZone Master Security Controller Peter Maydell
2018-08-24 9:33 ` [Qemu-devel] [PULL 30/52] hw/misc/iotkit-secctl: Wire up registers for controlling MSCs Peter Maydell
2018-08-24 9:33 ` [Qemu-devel] [PULL 31/52] hw/arm/iotkit: Wire up the lines for MSCs Peter Maydell
2018-08-24 9:33 ` [Qemu-devel] [PULL 32/52] hw/arm/mps2-tz: Create PL081s and MSCs Peter Maydell
2018-08-24 9:33 ` [Qemu-devel] [PULL 33/52] hw/ssi/pl022: Allow use as embedded-struct device Peter Maydell
2018-08-24 9:33 ` [Qemu-devel] [PULL 34/52] hw/ssi/pl022: Set up reset function in class init Peter Maydell
2018-08-24 9:33 ` [Qemu-devel] [PULL 35/52] hw/ssi/pl022: Don't directly call vmstate_register() Peter Maydell
2018-08-24 9:33 ` [Qemu-devel] [PULL 36/52] hw/ssi/pl022: Use DeviceState::realize rather than SysBusDevice::init Peter Maydell
2018-08-24 9:33 ` [Qemu-devel] [PULL 37/52] hw/ssi/pl022: Correct wrong value for PL022_INT_RT Peter Maydell
2018-08-24 9:33 ` [Qemu-devel] [PULL 38/52] hw/ssi/pl022: Correct wrong DMACR and ICR handling Peter Maydell
2018-08-24 9:33 ` [Qemu-devel] [PULL 39/52] hw/arm/mps2-tz: Instantiate SPI controllers Peter Maydell
2018-08-24 9:33 ` [Qemu-devel] [PULL 40/52] hw/arm/mps2-tz: Fix MPS2 SCC config register values Peter Maydell
2018-08-24 9:33 ` [Qemu-devel] [PULL 41/52] target/arm: Untabify translate.c Peter Maydell
2018-08-24 9:33 ` [Qemu-devel] [PULL 42/52] target/arm: Untabify iwmmxt_helper.c Peter Maydell
2018-08-24 9:33 ` [Qemu-devel] [PULL 43/52] target/arm: Remove a handful of stray tabs Peter Maydell
2018-08-24 9:33 ` [Qemu-devel] [PULL 44/52] hw/misc/bcm2835_fb: Move config fields to their own struct Peter Maydell
2018-08-24 9:33 ` [Qemu-devel] [PULL 45/52] hw/misc/bcm2835_property: Track fb settings using BCM2835FBConfig Peter Maydell
2018-08-24 9:33 ` [Qemu-devel] [PULL 46/52] hw/display/bcm2835_fb: Drop unused size and pitch fields Peter Maydell
2018-08-24 9:33 ` [Qemu-devel] [PULL 47/52] hw/display/bcm2835_fb: Reset resolution, etc correctly Peter Maydell
2018-08-24 9:33 ` [Qemu-devel] [PULL 48/52] hw/display/bcm2835_fb: Abstract out calculation of pitch, size Peter Maydell
2018-08-24 9:33 ` [Qemu-devel] [PULL 49/52] hw/display/bcm2835_fb: Fix handling of virtual framebuffer Peter Maydell
2018-08-24 9:33 ` Peter Maydell [this message]
2018-08-24 9:33 ` [Qemu-devel] [PULL 51/52] hw/display/bcm2835_fb: Validate bcm2835_fb_mbox_push() config Peter Maydell
2018-08-24 9:33 ` [Qemu-devel] [PULL 52/52] hw/arm/mps2: Fix ID register errors on AN511 and AN385 Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180824093343.11346-51-peter.maydell@linaro.org \
--to=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).