From: Ian Jackson Date: Thu, 11 Sep 2008 11:44:33 +0000 (+0100) Subject: ioemu: various fixes to `Use main memory for video memory' X-Git-Tag: t.master-before-merge~94 X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=8ba1c72a3080f7c71e2c63a915ddc73634162b0c;p=qemu-xen-4.0-testing.git ioemu: various fixes to `Use main memory for video memory' - fix ioemu segv with old firmware Without notifying ioemu of address, ioemu will segv. - fix qemu-dm segv with malicous firmware If notifying ioemu more than once, ioemu will segv. Usually such cases don't happen, but malicious guest can do it intentionally. Signed-off-by: Isaku Yamahata (Cross-ported from xen-unstable 18449:33d907ff2b043c4bff5c265737dab0bb52d6f773 this is a fix to the patch 0844825b76924eac7719875b3886072b74e19397 which itself was cross-ported from xen-unstable 18383:dade7f0bdc8d6b36b1914598d83c616ee5ce97cb There were no conflicts or problems with patch -l.) --- diff --git a/hw/cirrus_vga.c b/hw/cirrus_vga.c index 37d2fe5c..c03a5a6e 100644 --- a/hw/cirrus_vga.c +++ b/hw/cirrus_vga.c @@ -2652,6 +2652,9 @@ static void set_vram_mapping(CirrusVGAState *s, unsigned long begin, unsigned lo fprintf(logfile,"mapping vram to %lx - %lx\n", begin, end); + if (!s->vram_mfns) + return; + xatp.domid = domid; xatp.space = XENMAPSPACE_mfn; diff --git a/hw/vga.c b/hw/vga.c index 8fbc4e5b..9e0dea82 100644 --- a/hw/vga.c +++ b/hw/vga.c @@ -2083,7 +2083,13 @@ void xen_vga_vram_map(uint64_t vram_addr, int copy) if (copy) memcpy(vram, xen_vga_state->vram_ptr, VGA_RAM_SIZE); - qemu_free(xen_vga_state->vram_ptr); + if (xen_vga_state->vram_mfns) { + /* In case this function is called more than once */ + free(xen_vga_state->vram_mfns); + munmap(xen_vga_state->vram_ptr, VGA_RAM_SIZE); + } else { + qemu_free(xen_vga_state->vram_ptr); + } xen_vga_state->vram_ptr = vram; xen_vga_state->vram_mfns = pfn_list; #ifdef CONFIG_STUBDOM