ioemu: various fixes to `Use main memory for video memory'

- fix ioemu segv with old firmware
  Without notifying ioemu of address, ioemu will segv.

- fix qemu-dm segv with malicous firmware
  If notifying ioemu more than once, ioemu will segv.

Usually such cases don't happen, but malicious guest can
do it intentionally.

Signed-off-by: Isaku Yamahata <yamahata@valinux.co.jp>
(Cross-ported from xen-unstable
 18449:33d907ff2b043c4bff5c265737dab0bb52d6f773
this is a fix to the patch
 0844825b76924eac7719875b3886072b74e19397
which itself was cross-ported from xen-unstable
 18383:dade7f0bdc8d6b36b1914598d83c616ee5ce97cb

There were no conflicts or problems with patch -l.)

diff --git a/hw/cirrus_vga.c b/hw/cirrus_vga.c
index 37d2fe5c2ea27cd7aaf2abb747670929ad4341a9..c03a5a6eb149b911364483fa178d33abc39f35a8 100644 (file)
--- a/hw/cirrus_vga.c
+++ b/hw/cirrus_vga.c
@@ -2652,6 +2652,9 @@ static void set_vram_mapping(CirrusVGAState *s, unsigned long begin, unsigned lo
 
     fprintf(logfile,"mapping vram to %lx - %lx\n", begin, end);
 
+    if (!s->vram_mfns)
+        return;
+
     xatp.domid = domid;
     xatp.space = XENMAPSPACE_mfn;
 

diff --git a/hw/vga.c b/hw/vga.c
index 8fbc4e5bdd23cbaf2076c11d7a3d534d654907df..9e0dea8211b81f890c2b449054478ec8a2a4a84c 100644 (file)
--- a/hw/vga.c
+++ b/hw/vga.c
@@ -2083,7 +2083,13 @@ void xen_vga_vram_map(uint64_t vram_addr, int copy)
 
     if (copy)
         memcpy(vram, xen_vga_state->vram_ptr, VGA_RAM_SIZE);
-    qemu_free(xen_vga_state->vram_ptr);
+    if (xen_vga_state->vram_mfns) {
+        /* In case this function is called more than once */
+        free(xen_vga_state->vram_mfns);
+        munmap(xen_vga_state->vram_ptr, VGA_RAM_SIZE);
+    } else {
+        qemu_free(xen_vga_state->vram_ptr);
+    }
     xen_vga_state->vram_ptr = vram;
     xen_vga_state->vram_mfns = pfn_list;
 #ifdef CONFIG_STUBDOM