Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP1:GA
qemu.8405
0434-vga-stop-passing-pointers-to-vga_dr.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0434-vga-stop-passing-pointers-to-vga_dr.patch of Package qemu.8405
From 1368d9ac36de0f220ee6c71aed3ae20ca6b7b0a5 Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann <kraxel@redhat.com> Date: Mon, 28 Aug 2017 14:29:06 +0200 Subject: [PATCH] vga: stop passing pointers to vga_draw_line* functions Instead pass around the address (aka offset into vga memory). Add vga_read_* helper functions which apply vbe_size_mask to the address, to make sure the address stays within the valid range, similar to the cirrus blitter fixes (commits ffaf857778 and 026aeffcb4). Impact: DoS for privileged guest users. qemu crashes with a segfault, when hitting the guard page after vga memory allocation, while reading vga memory for display updates. Fixes: CVE-2017-13672 Cc: P J P <ppandit@redhat.com> Reported-by: David Buchanan <d@vidbuchanan.co.uk> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Message-id: 20170828122906.18993-1-kraxel@redhat.com (cherry picked from commit 3d90c6254863693a6b13d918d2b8682e08bbc681) [FL: BSC#1056334 CVE-2017-13672, add macro to fix multiple #include] Signed-off-by: Fei Li <fli@suse.com> --- hw/display/vga.c | 5 +- hw/display/vga_int.h | 1 + hw/display/vga_template.h | 182 ++++++++++++++++++++++---------------- 3 files changed, 111 insertions(+), 77 deletions(-) diff --git a/hw/display/vga.c b/hw/display/vga.c index 5323ff7ea5..42335e1d20 100644 --- a/hw/display/vga.c +++ b/hw/display/vga.c @@ -1051,7 +1051,7 @@ typedef void vga_draw_glyph9_func(uint8_t *d, int linesize, const uint8_t *font_ptr, int h, uint32_t fgcol, uint32_t bgcol, int dup9); typedef void vga_draw_line_func(VGACommonState *s1, uint8_t *d, - const uint8_t *s, int width); + uint32_t srcaddr, int width); #ifdef TARGET_WORDS_BIGENDIAN static bool vga_is_be = true; @@ -1988,7 +1988,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update) if (page1 > page_max) page_max = page1; if (!(is_buffer_shared(surface))) { - vga_draw_line(s, d, s->vram_ptr + addr, width); + vga_draw_line(s, d, addr, width); if (s->cursor_draw_line) s->cursor_draw_line(s, d, y); } @@ -2469,6 +2469,7 @@ void vga_common_init(VGACommonState *s, Object *obj) if (!s->vbe_size) { s->vbe_size = s->vram_size; } + s->vbe_size_mask = s->vbe_size - 1; s->is_vbe_vmstate = 1; memory_region_init_ram(&s->vram, obj, "vga.vram", s->vram_size); diff --git a/hw/display/vga_int.h b/hw/display/vga_int.h index dd2d851a12..37846697c7 100644 --- a/hw/display/vga_int.h +++ b/hw/display/vga_int.h @@ -94,6 +94,7 @@ typedef struct VGACommonState { uint32_t vram_size; uint32_t vram_size_mb; /* property */ uint32_t vbe_size; + uint32_t vbe_size_mask; uint32_t latch; MemoryRegion *chain4_alias; uint8_t sr_index; diff --git a/hw/display/vga_template.h b/hw/display/vga_template.h index f8ea15fc6a..58424f452f 100644 --- a/hw/display/vga_template.h +++ b/hw/display/vga_template.h @@ -164,20 +164,49 @@ static void glue(vga_draw_glyph9_, DEPTH)(uint8_t *d, int linesize, } while (--h); } +#ifndef VGA_READ_FUNCTION +#define VGA_READ_FUNCTION 1 +static inline uint8_t vga_read_byte(VGACommonState *vga, uint32_t addr) +{ + return vga->vram_ptr[addr & vga->vbe_size_mask]; +} + +static inline uint16_t vga_read_word_le(VGACommonState *vga, uint32_t addr) +{ + uint32_t offset = addr & vga->vbe_size_mask & ~1; + uint16_t *ptr = (uint16_t *)(vga->vram_ptr + offset); + return lduw_le_p(ptr); +} + +static inline uint16_t vga_read_word_be(VGACommonState *vga, uint32_t addr) +{ + uint32_t offset = addr & vga->vbe_size_mask & ~1; + uint16_t *ptr = (uint16_t *)(vga->vram_ptr + offset); + return lduw_be_p(ptr); +} + +static inline uint32_t vga_read_dword_le(VGACommonState *vga, uint32_t addr) +{ + uint32_t offset = addr & vga->vbe_size_mask & ~3; + uint32_t *ptr = (uint32_t *)(vga->vram_ptr + offset); + return ldl_le_p(ptr); +} +#endif + /* * 4 color mode */ -static void glue(vga_draw_line2_, DEPTH)(VGACommonState *s1, uint8_t *d, - const uint8_t *s, int width) +static void glue(vga_draw_line2_, DEPTH)(VGACommonState *vga, uint8_t *d, + uint32_t addr, int width) { uint32_t plane_mask, *palette, data, v; int x; - palette = s1->last_palette; - plane_mask = mask16[s1->ar[VGA_ATC_PLANE_ENABLE] & 0xf]; + palette = vga->last_palette; + plane_mask = mask16[vga->ar[VGA_ATC_PLANE_ENABLE] & 0xf]; width >>= 3; for(x = 0; x < width; x++) { - data = ((uint32_t *)s)[0]; + data = vga_read_dword_le(vga, addr); data &= plane_mask; v = expand2[GET_PLANE(data, 0)]; v |= expand2[GET_PLANE(data, 2)] << 2; @@ -193,7 +222,7 @@ static void glue(vga_draw_line2_, DEPTH)(VGACommonState *s1, uint8_t *d, ((PIXEL_TYPE *)d)[6] = palette[(v >> 4) & 0xf]; ((PIXEL_TYPE *)d)[7] = palette[(v >> 0) & 0xf]; d += BPP * 8; - s += 4; + addr += 4; } } @@ -209,17 +238,17 @@ static void glue(vga_draw_line2_, DEPTH)(VGACommonState *s1, uint8_t *d, /* * 4 color mode, dup2 horizontal */ -static void glue(vga_draw_line2d2_, DEPTH)(VGACommonState *s1, uint8_t *d, - const uint8_t *s, int width) +static void glue(vga_draw_line2d2_, DEPTH)(VGACommonState *vga, uint8_t *d, + uint32_t addr, int width) { uint32_t plane_mask, *palette, data, v; int x; - palette = s1->last_palette; - plane_mask = mask16[s1->ar[VGA_ATC_PLANE_ENABLE] & 0xf]; + palette = vga->last_palette; + plane_mask = mask16[vga->ar[VGA_ATC_PLANE_ENABLE] & 0xf]; width >>= 3; for(x = 0; x < width; x++) { - data = ((uint32_t *)s)[0]; + data = vga_read_dword_le(vga, addr); data &= plane_mask; v = expand2[GET_PLANE(data, 0)]; v |= expand2[GET_PLANE(data, 2)] << 2; @@ -235,24 +264,24 @@ static void glue(vga_draw_line2d2_, DEPTH)(VGACommonState *s1, uint8_t *d, PUT_PIXEL2(d, 6, palette[(v >> 4) & 0xf]); PUT_PIXEL2(d, 7, palette[(v >> 0) & 0xf]); d += BPP * 16; - s += 4; + addr += 4; } } /* * 16 color mode */ -static void glue(vga_draw_line4_, DEPTH)(VGACommonState *s1, uint8_t *d, - const uint8_t *s, int width) +static void glue(vga_draw_line4_, DEPTH)(VGACommonState *vga, uint8_t *d, + uint32_t addr, int width) { uint32_t plane_mask, data, v, *palette; int x; - palette = s1->last_palette; - plane_mask = mask16[s1->ar[VGA_ATC_PLANE_ENABLE] & 0xf]; + palette = vga->last_palette; + plane_mask = mask16[vga->ar[VGA_ATC_PLANE_ENABLE] & 0xf]; width >>= 3; for(x = 0; x < width; x++) { - data = ((uint32_t *)s)[0]; + data = vga_read_dword_le(vga, addr); data &= plane_mask; v = expand4[GET_PLANE(data, 0)]; v |= expand4[GET_PLANE(data, 1)] << 1; @@ -267,24 +296,24 @@ static void glue(vga_draw_line4_, DEPTH)(VGACommonState *s1, uint8_t *d, ((PIXEL_TYPE *)d)[6] = palette[(v >> 4) & 0xf]; ((PIXEL_TYPE *)d)[7] = palette[(v >> 0) & 0xf]; d += BPP * 8; - s += 4; + addr += 4; } } /* * 16 color mode, dup2 horizontal */ -static void glue(vga_draw_line4d2_, DEPTH)(VGACommonState *s1, uint8_t *d, - const uint8_t *s, int width) +static void glue(vga_draw_line4d2_, DEPTH)(VGACommonState *vga, uint8_t *d, + uint32_t addr, int width) { uint32_t plane_mask, data, v, *palette; int x; - palette = s1->last_palette; - plane_mask = mask16[s1->ar[VGA_ATC_PLANE_ENABLE] & 0xf]; + palette = vga->last_palette; + plane_mask = mask16[vga->ar[VGA_ATC_PLANE_ENABLE] & 0xf]; width >>= 3; for(x = 0; x < width; x++) { - data = ((uint32_t *)s)[0]; + data = vga_read_dword_le(vga, addr); data &= plane_mask; v = expand4[GET_PLANE(data, 0)]; v |= expand4[GET_PLANE(data, 1)] << 1; @@ -299,7 +328,7 @@ static void glue(vga_draw_line4d2_, DEPTH)(VGACommonState *s1, uint8_t *d, PUT_PIXEL2(d, 6, palette[(v >> 4) & 0xf]); PUT_PIXEL2(d, 7, palette[(v >> 0) & 0xf]); d += BPP * 16; - s += 4; + addr += 4; } } @@ -308,21 +337,21 @@ static void glue(vga_draw_line4d2_, DEPTH)(VGACommonState *s1, uint8_t *d, * * XXX: add plane_mask support (never used in standard VGA modes) */ -static void glue(vga_draw_line8d2_, DEPTH)(VGACommonState *s1, uint8_t *d, - const uint8_t *s, int width) +static void glue(vga_draw_line8d2_, DEPTH)(VGACommonState *vga, uint8_t *d, + uint32_t addr, int width) { uint32_t *palette; int x; - palette = s1->last_palette; + palette = vga->last_palette; width >>= 3; for(x = 0; x < width; x++) { - PUT_PIXEL2(d, 0, palette[s[0]]); - PUT_PIXEL2(d, 1, palette[s[1]]); - PUT_PIXEL2(d, 2, palette[s[2]]); - PUT_PIXEL2(d, 3, palette[s[3]]); + PUT_PIXEL2(d, 0, palette[vga_read_byte(vga, addr + 0)]); + PUT_PIXEL2(d, 1, palette[vga_read_byte(vga, addr + 1)]); + PUT_PIXEL2(d, 2, palette[vga_read_byte(vga, addr + 2)]); + PUT_PIXEL2(d, 3, palette[vga_read_byte(vga, addr + 3)]); d += BPP * 8; - s += 4; + addr += 4; } } @@ -331,25 +360,25 @@ static void glue(vga_draw_line8d2_, DEPTH)(VGACommonState *s1, uint8_t *d, * * XXX: add plane_mask support (never used in standard VGA modes) */ -static void glue(vga_draw_line8_, DEPTH)(VGACommonState *s1, uint8_t *d, - const uint8_t *s, int width) +static void glue(vga_draw_line8_, DEPTH)(VGACommonState *vga, uint8_t *d, + uint32_t addr, int width) { uint32_t *palette; int x; - palette = s1->last_palette; + palette = vga->last_palette; width >>= 3; for(x = 0; x < width; x++) { - ((PIXEL_TYPE *)d)[0] = palette[s[0]]; - ((PIXEL_TYPE *)d)[1] = palette[s[1]]; - ((PIXEL_TYPE *)d)[2] = palette[s[2]]; - ((PIXEL_TYPE *)d)[3] = palette[s[3]]; - ((PIXEL_TYPE *)d)[4] = palette[s[4]]; - ((PIXEL_TYPE *)d)[5] = palette[s[5]]; - ((PIXEL_TYPE *)d)[6] = palette[s[6]]; - ((PIXEL_TYPE *)d)[7] = palette[s[7]]; + ((PIXEL_TYPE *)d)[0] = palette[vga_read_byte(vga, addr + 0)]; + ((PIXEL_TYPE *)d)[1] = palette[vga_read_byte(vga, addr + 1)]; + ((PIXEL_TYPE *)d)[2] = palette[vga_read_byte(vga, addr + 2)]; + ((PIXEL_TYPE *)d)[3] = palette[vga_read_byte(vga, addr + 3)]; + ((PIXEL_TYPE *)d)[4] = palette[vga_read_byte(vga, addr + 4)]; + ((PIXEL_TYPE *)d)[5] = palette[vga_read_byte(vga, addr + 5)]; + ((PIXEL_TYPE *)d)[6] = palette[vga_read_byte(vga, addr + 6)]; + ((PIXEL_TYPE *)d)[7] = palette[vga_read_byte(vga, addr + 7)]; d += BPP * 8; - s += 8; + addr += 8; } } @@ -361,11 +390,12 @@ static void glue(vga_draw_line8_, DEPTH)(VGACommonState *s1, uint8_t *d, /* * 15 bit color */ -static void glue(vga_draw_line15_, PIXEL_FNAME)(VGACommonState *s1, uint8_t *d, - const uint8_t *s, int width) +static void glue(vga_draw_line15_, PIXEL_FNAME)(VGACommonState *vga, uint8_t *d, + uint32_t addr, int width) { #if DEPTH == 15 && PIX_BE == defined(HOST_WORDS_BIGENDIAN) - memcpy(d, s, width * 2); + uint32_t offset = addr & vga->vbe_size_mask & ~1; + memcpy(d, (uint8_t *)(vga->vram_ptr + offset), width * 2); #else int w; uint32_t v, r, g, b; @@ -373,15 +403,15 @@ static void glue(vga_draw_line15_, PIXEL_FNAME)(VGACommonState *s1, uint8_t *d, w = width; do { #if PIX_BE - v = lduw_be_p((void *)s); + v = vga_read_word_be(vga, addr); #else - v = lduw_le_p((void *)s); + v = vga_read_word_le(vga, addr); #endif r = (v >> 7) & 0xf8; g = (v >> 2) & 0xf8; b = (v << 3) & 0xf8; ((PIXEL_TYPE *)d)[0] = glue(rgb_to_pixel, PIXEL_NAME)(r, g, b); - s += 2; + addr += 2; d += BPP; } while (--w != 0); #endif @@ -390,11 +420,12 @@ static void glue(vga_draw_line15_, PIXEL_FNAME)(VGACommonState *s1, uint8_t *d, /* * 16 bit color */ -static void glue(vga_draw_line16_, PIXEL_FNAME)(VGACommonState *s1, uint8_t *d, - const uint8_t *s, int width) +static void glue(vga_draw_line16_, PIXEL_FNAME)(VGACommonState *vga, uint8_t *d, + uint32_t addr, int width) { #if DEPTH == 16 && PIX_BE == defined(HOST_WORDS_BIGENDIAN) - memcpy(d, s, width * 2); + uint32_t offset = addr & vga->vbe_size_mask & ~1; + memcpy(d, (uint8_t *)(vga->vram_ptr + offset), width * 2); #else int w; uint32_t v, r, g, b; @@ -402,15 +433,15 @@ static void glue(vga_draw_line16_, PIXEL_FNAME)(VGACommonState *s1, uint8_t *d, w = width; do { #if PIX_BE - v = lduw_be_p((void *)s); + v = vga_read_word_be(vga, addr); #else - v = lduw_le_p((void *)s); + v = vga_read_word_le(vga, addr); #endif r = (v >> 8) & 0xf8; g = (v >> 3) & 0xfc; b = (v << 3) & 0xf8; ((PIXEL_TYPE *)d)[0] = glue(rgb_to_pixel, PIXEL_NAME)(r, g, b); - s += 2; + addr += 2; d += BPP; } while (--w != 0); #endif @@ -419,8 +450,8 @@ static void glue(vga_draw_line16_, PIXEL_FNAME)(VGACommonState *s1, uint8_t *d, /* * 24 bit color */ -static void glue(vga_draw_line24_, PIXEL_FNAME)(VGACommonState *s1, uint8_t *d, - const uint8_t *s, int width) +static void glue(vga_draw_line24_, PIXEL_FNAME)(VGACommonState *vga, uint8_t *d, + uint32_t addr, int width) { int w; uint32_t r, g, b; @@ -428,16 +459,16 @@ static void glue(vga_draw_line24_, PIXEL_FNAME)(VGACommonState *s1, uint8_t *d, w = width; do { #if PIX_BE - r = s[0]; - g = s[1]; - b = s[2]; + r = vga_read_byte(vga, addr + 0); + g = vga_read_byte(vga, addr + 1); + b = vga_read_byte(vga, addr + 2); #else - b = s[0]; - g = s[1]; - r = s[2]; + b = vga_read_byte(vga, addr + 0); + g = vga_read_byte(vga, addr + 1); + r = vga_read_byte(vga, addr + 2); #endif ((PIXEL_TYPE *)d)[0] = glue(rgb_to_pixel, PIXEL_NAME)(r, g, b); - s += 3; + addr += 3; d += BPP; } while (--w != 0); } @@ -445,11 +476,12 @@ static void glue(vga_draw_line24_, PIXEL_FNAME)(VGACommonState *s1, uint8_t *d, /* * 32 bit color */ -static void glue(vga_draw_line32_, PIXEL_FNAME)(VGACommonState *s1, uint8_t *d, - const uint8_t *s, int width) +static void glue(vga_draw_line32_, PIXEL_FNAME)(VGACommonState *vga, uint8_t *d, + uint32_t addr, int width) { #if DEPTH == 32 && !BGR_FORMAT && PIX_BE == defined(HOST_WORDS_BIGENDIAN) - memcpy(d, s, width * 4); + uint32_t offset = addr & vga->vbe_size_mask & ~3; + memcpy(d, (uint8_t *)(vga->vram_ptr + offset), width * 4); #else int w; uint32_t r, g, b; @@ -457,16 +489,16 @@ static void glue(vga_draw_line32_, PIXEL_FNAME)(VGACommonState *s1, uint8_t *d, w = width; do { #if PIX_BE - r = s[1]; - g = s[2]; - b = s[3]; + r = vga_read_byte(vga, addr + 1); + g = vga_read_byte(vga, addr + 2); + b = vga_read_byte(vga, addr + 3); #else - b = s[0]; - g = s[1]; - r = s[2]; + b = vga_read_byte(vga, addr + 0); + g = vga_read_byte(vga, addr + 1); + r = vga_read_byte(vga, addr + 2); #endif ((PIXEL_TYPE *)d)[0] = glue(rgb_to_pixel, PIXEL_NAME)(r, g, b); - s += 4; + addr += 4; d += BPP; } while (--w != 0); #endif
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
