From 8ba1c72a3080f7c71e2c63a915ddc73634162b0c Mon Sep 17 00:00:00 2001 From: Ian Jackson Date: Thu, 11 Sep 2008 12:44:33 +0100 Subject: [PATCH] ioemu: various fixes to `Use main memory for video memory' - fix ioemu segv with old firmware Without notifying ioemu of address, ioemu will segv. - fix qemu-dm segv with malicous firmware If notifying ioemu more than once, ioemu will segv. Usually such cases don't happen, but malicious guest can do it intentionally. Signed-off-by: Isaku Yamahata (Cross-ported from xen-unstable 18449:33d907ff2b043c4bff5c265737dab0bb52d6f773 this is a fix to the patch 0844825b76924eac7719875b3886072b74e19397 which itself was cross-ported from xen-unstable 18383:dade7f0bdc8d6b36b1914598d83c616ee5ce97cb There were no conflicts or problems with patch -l.) --- hw/cirrus_vga.c | 3 +++ hw/vga.c | 8 +++++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/hw/cirrus_vga.c b/hw/cirrus_vga.c index 37d2fe5c..c03a5a6e 100644 --- a/hw/cirrus_vga.c +++ b/hw/cirrus_vga.c @@ -2652,6 +2652,9 @@ static void set_vram_mapping(CirrusVGAState *s, unsigned long begin, unsigned lo fprintf(logfile,"mapping vram to %lx - %lx\n", begin, end); + if (!s->vram_mfns) + return; + xatp.domid = domid; xatp.space = XENMAPSPACE_mfn; diff --git a/hw/vga.c b/hw/vga.c index 8fbc4e5b..9e0dea82 100644 --- a/hw/vga.c +++ b/hw/vga.c @@ -2083,7 +2083,13 @@ void xen_vga_vram_map(uint64_t vram_addr, int copy) if (copy) memcpy(vram, xen_vga_state->vram_ptr, VGA_RAM_SIZE); - qemu_free(xen_vga_state->vram_ptr); + if (xen_vga_state->vram_mfns) { + /* In case this function is called more than once */ + free(xen_vga_state->vram_mfns); + munmap(xen_vga_state->vram_ptr, VGA_RAM_SIZE); + } else { + qemu_free(xen_vga_state->vram_ptr); + } xen_vga_state->vram_ptr = vram; xen_vga_state->vram_mfns = pfn_list; #ifdef CONFIG_STUBDOM -- 2.39.5