ia64/xen-unstable

changeset 18462:33d907ff2b04

ioemu: various fixes to 18394:dade7f0bdc8d

- fix ioemu segv with old firmware
Without notifying ioemu of address, ioemu will segv.

- fix qemu-dm segv with malicous firmware
If notifying ioemu more than once, ioemu will segv.

Usually such cases don't happen, but malicious guest can
do it intentionally.

Signed-off-by: Isaku Yamahata <yamahata@valinux.co.jp>
author Keir Fraser <keir.fraser@citrix.com>
date Tue Sep 09 15:02:51 2008 +0100 (2008-09-09)
parents 4f27d1a23bca
children 5a6f5b4b5fb3
files tools/ioemu/hw/cirrus_vga.c tools/ioemu/hw/vga.c
line diff
     1.1 --- a/tools/ioemu/hw/cirrus_vga.c	Tue Sep 09 15:02:32 2008 +0100
     1.2 +++ b/tools/ioemu/hw/cirrus_vga.c	Tue Sep 09 15:02:51 2008 +0100
     1.3 @@ -2554,6 +2554,9 @@ static void set_vram_mapping(CirrusVGASt
     1.4  
     1.5      fprintf(logfile,"mapping vram to %lx - %lx\n", begin, end);
     1.6  
     1.7 +    if (!s->vram_mfns)
     1.8 +        return;
     1.9 +
    1.10      xatp.domid = domid;
    1.11      xatp.space = XENMAPSPACE_mfn;
    1.12  
     2.1 --- a/tools/ioemu/hw/vga.c	Tue Sep 09 15:02:32 2008 +0100
     2.2 +++ b/tools/ioemu/hw/vga.c	Tue Sep 09 15:02:51 2008 +0100
     2.3 @@ -2080,7 +2080,13 @@ void xen_vga_vram_map(uint64_t vram_addr
     2.4  
     2.5      if (copy)
     2.6          memcpy(vram, xen_vga_state->vram_ptr, VGA_RAM_SIZE);
     2.7 -    qemu_free(xen_vga_state->vram_ptr);
     2.8 +    if (xen_vga_state->vram_mfns) {
     2.9 +        /* In case this function is called more than once */
    2.10 +        free(xen_vga_state->vram_mfns);
    2.11 +        munmap(xen_vga_state->vram_ptr, VGA_RAM_SIZE);
    2.12 +    } else {
    2.13 +        qemu_free(xen_vga_state->vram_ptr);
    2.14 +    }
    2.15      xen_vga_state->vram_ptr = vram;
    2.16      xen_vga_state->vram_mfns = pfn_list;
    2.17  #ifdef CONFIG_STUBDOM