qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed
From: Gerd Hoffmann <kraxel@redhat.com>
To: BALATON Zoltan <balaton@eik.bme.hu>
Cc: "Peter Maydell" <peter.maydell@linaro.org>,
	"Michael S . Tsirkin" <mst@redhat.com>,
	"QEMU Developers" <qemu-devel@nongnu.org>,
	qemu-stable <qemu-stable@nongnu.org>,
	"Michael Roth" <mdroth@linux.vnet.ibm.com>,
	"Philippe Mathieu-Daudé" <f4bug@amsat.org>,
	"Zhang Zi Ming" <1015138407@qq.com>,
	qemu-ppc <qemu-ppc@nongnu.org>,
	"Aurelien Jarno" <aurelien@aurel32.net>
Subject: Re: [PATCH-for-5.0 v2] hw/display/sm501: Avoid heap overflow in sm501_2d_operation()
Date: Tue, 21 Apr 2020 11:15:52 +0200	[thread overview]
Message-ID: <20200421091552.77uogz2qwc7y4cxg@sirius.home.kraxel.org> (raw)
In-Reply-To: <alpine.BSF.2.22.395.2004151934110.92157@zero.eik.bme.hu>

> > > The SM501 datasheet is entirely unhelpful on this question, but
> > > my suggestion is that we should convert the code so that instead
> > > of operating directly on pointers into the middle of the local_mem
> > > buffer all the accesses to local_mem go via functions which mask
> > > off the high bits of the index. That effectively means that the
> > > behaviour if we index off the end of the graphics memory is
> > > that we just wrap round to the start of it. It should be fairly
> > > easy to be confident that the code isn't accessing off the end
> > > of the array and it might even be what the hardware actually does
> > > (since it would correspond to 'use low bits of the address to
> > > index the ram, ignore high bits')...
> > 
> > Does that make it even slower than it is already? I think it should
> > rather be changed to do what I've done in ati_2d.c and call optimised
> > functions to do the blit operation instead of implementing it directly.
> > Then we'll need
> 
> As blits are common operation in several video cards, such as sm501, cirrus
> and ati-vga at least maybe we could also split off some common helpers to
> have one implementation of these which could be secured and optimised once
> and not have to fix it in every device separately. I don't volunteer to do
> that by maybe there's someone who wants to try that?

cirrus stopped using pointers years ago, exactly for the reasons
outlined above.  Conversion was pretty straight forward.

commit 026aeffcb4752054830ba203020ed6eb05bcaba8
Author: Gerd Hoffmann <kraxel@redhat.com>
Date:   Wed Mar 15 11:47:52 2017 +0100

    cirrus: stop passing around dst pointers in the blitter
    
    Instead pass around the address (aka offset into vga memory).  Calculate
    the pointer in the rop_* functions, after applying the mask to the
    address, to make sure the address stays within the valid range.

Drawback of this approach is that it can't be used in case you offload
all your raster ops to pixman, so the basic idea doesn't help much for
ati.  Didn't check sm501.

take care,
  Gerd



  reply	other threads:[~2020-04-21  9:17 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-04-13 22:01 [PATCH-for-5.0 v2] hw/display/sm501: Avoid heap overflow in sm501_2d_operation() Philippe Mathieu-Daudé
2020-04-15 15:01 ` Peter Maydell
2020-04-15 17:33   ` BALATON Zoltan
2020-04-15 17:39     ` BALATON Zoltan
2020-04-21  9:15       ` Gerd Hoffmann [this message]
2020-04-21  9:25         ` Peter Maydell
2020-04-21 11:26           ` Gerd Hoffmann

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200421091552.77uogz2qwc7y4cxg@sirius.home.kraxel.org \
    --to=kraxel@redhat.com \
    --cc=1015138407@qq.com \
    --cc=aurelien@aurel32.net \
    --cc=balaton@eik.bme.hu \
    --cc=f4bug@amsat.org \
    --cc=mdroth@linux.vnet.ibm.com \
    --cc=mst@redhat.com \
    --cc=peter.maydell@linaro.org \
    --cc=qemu-devel@nongnu.org \
    --cc=qemu-ppc@nongnu.org \
    --cc=qemu-stable@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).