]> xenbits.xensource.com Git - qemu-upstream-4.6-testing.git/commit
projects / qemu-upstream-4.6-testing.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 4e35ab1) | patch
vga: stop passing pointers to vga_draw_line* functions master
authorGerd Hoffmann <kraxel@redhat.com>
Mon, 28 Aug 2017 12:29:06 +0000 (14:29 +0200)
committerStefano Stabellini <sstabellini@kernel.org>
Wed, 4 Oct 2017 18:13:48 +0000 (11:13 -0700)
commit9e879690ecc702c271fda4cb48663bb83fdf1832
treedaf0c87be58ee68e274b1e04b0383666fd4facaatree
parent4e35ab1edd74b7d24b7a4aaebe75fe68222a2f2bcommit | diff
vga: stop passing pointers to vga_draw_line* functions

Instead pass around the address (aka offset into vga memory).
Add vga_read_* helper functions which apply vbe_size_mask to
the address, to make sure the address stays within the valid
range, similar to the cirrus blitter fixes (commits ffaf857778
and 026aeffcb4).

Impact:  DoS for privileged guest users.  qemu crashes with
a segfault, when hitting the guard page after vga memory
allocation, while reading vga memory for display updates.

cherry picked from commit 3d90c6254863693a6b13d918d2b8682e08bbc681

Fixes: CVE-2017-13672
Cc: P J P <ppandit@redhat.com>
Reported-by: David Buchanan <d@vidbuchanan.co.uk>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
Message-id: 20170828122906.18993-1-kraxel@redhat.com
(cherry picked from commit 7434775abf8fb2ca3b9e805d30656f4da8c08816)
hw/display/vga-helpers.h diff | blob | history
hw/display/vga.c diff | blob | history
hw/display/vga_int.h diff | blob | history
Obsolete Upstream Qemu based repository for xen-4.6-testing