Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP3:Update
xen.36362
xsa463-04.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File xsa463-04.patch of Package xen.36362
From: Jan Beulich <jbeulich@suse.com> Subject: x86/HVM: remove unused MMIO handling code All read accesses are rejected by the ->accept handler, while writes bypass the bulk of the function body. Drop the dead code, leaving an assertion in the read handler. A number of other static items (and a macro) are then unreferenced and hence also need (want) dropping. The same applies to the "latch" field of the state structure. This is part of XSA-463 / CVE-2024-45818 Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> (cherry picked from commit 89108547af1f230b72893b48351f9c1106189649) Index: xen-4.14.6-testing/xen/arch/x86/hvm/stdvga.c =================================================================== --- xen-4.14.6-testing.orig/xen/arch/x86/hvm/stdvga.c +++ xen-4.14.6-testing/xen/arch/x86/hvm/stdvga.c @@ -38,26 +38,6 @@ #define VGA_MEM_BASE 0xa0000 #define VGA_MEM_SIZE 0x20000 -#define PAT(x) (x) -static const uint32_t mask16[16] = { - PAT(0x00000000), - PAT(0x000000ff), - PAT(0x0000ff00), - PAT(0x0000ffff), - PAT(0x00ff0000), - PAT(0x00ff00ff), - PAT(0x00ffff00), - PAT(0x00ffffff), - PAT(0xff000000), - PAT(0xff0000ff), - PAT(0xff00ff00), - PAT(0xff00ffff), - PAT(0xffff0000), - PAT(0xffff00ff), - PAT(0xffffff00), - PAT(0xffffffff), -}; - /* force some bits to zero */ static const uint8_t sr_mask[8] = { (uint8_t)~0xfc, @@ -82,25 +62,6 @@ static const uint8_t gr_mask[9] = { (uint8_t)~0x00, /* 0x08 */ }; -static uint8_t *vram_getb(struct hvm_hw_stdvga *s, unsigned int a) -{ - struct page_info *pg = s->vram_page[(a >> 12) & 0x3f]; - uint8_t *p = __map_domain_page(pg); - return &p[a & 0xfff]; -} - -static uint32_t *vram_getl(struct hvm_hw_stdvga *s, unsigned int a) -{ - struct page_info *pg = s->vram_page[(a >> 10) & 0x3f]; - uint32_t *p = __map_domain_page(pg); - return &p[a & 0x3ff]; -} - -static void vram_put(struct hvm_hw_stdvga *s, void *p) -{ - unmap_domain_page(p); -} - static int stdvga_outb(uint64_t addr, uint8_t val) { struct hvm_hw_stdvga *s = ¤t->domain->arch.hvm.stdvga; @@ -169,243 +130,12 @@ static int stdvga_intercept_pio( return X86EMUL_UNHANDLEABLE; /* propagate to external ioemu */ } -static unsigned int stdvga_mem_offset( - struct hvm_hw_stdvga *s, unsigned int mmio_addr) -{ - unsigned int memory_map_mode = (s->gr[6] >> 2) & 3; - unsigned int offset = mmio_addr & 0x1ffff; - - switch ( memory_map_mode ) - { - case 0: - break; - case 1: - if ( offset >= 0x10000 ) - goto fail; - offset += 0; /* assume bank_offset == 0; */ - break; - case 2: - offset -= 0x10000; - if ( offset >= 0x8000 ) - goto fail; - break; - default: - case 3: - offset -= 0x18000; - if ( offset >= 0x8000 ) - goto fail; - break; - } - - return offset; - - fail: - return ~0u; -} - -#define GET_PLANE(data, p) (((data) >> ((p) * 8)) & 0xff) - -static uint8_t stdvga_mem_readb(uint64_t addr) -{ - struct hvm_hw_stdvga *s = ¤t->domain->arch.hvm.stdvga; - int plane; - uint32_t ret, *vram_l; - uint8_t *vram_b; - - addr = stdvga_mem_offset(s, addr); - if ( addr == ~0u ) - return 0xff; - - if ( s->sr[4] & 0x08 ) - { - /* chain 4 mode : simplest access */ - vram_b = vram_getb(s, addr); - ret = *vram_b; - vram_put(s, vram_b); - } - else if ( s->gr[5] & 0x10 ) - { - /* odd/even mode (aka text mode mapping) */ - plane = (s->gr[4] & 2) | (addr & 1); - vram_b = vram_getb(s, ((addr & ~1) << 1) | plane); - ret = *vram_b; - vram_put(s, vram_b); - } - else - { - /* standard VGA latched access */ - vram_l = vram_getl(s, addr); - s->latch = *vram_l; - vram_put(s, vram_l); - - if ( !(s->gr[5] & 0x08) ) - { - /* read mode 0 */ - plane = s->gr[4]; - ret = GET_PLANE(s->latch, plane); - } - else - { - /* read mode 1 */ - ret = (s->latch ^ mask16[s->gr[2]]) & mask16[s->gr[7]]; - ret |= ret >> 16; - ret |= ret >> 8; - ret = (~ret) & 0xff; - } - } - - return ret; -} - static int stdvga_mem_read(const struct hvm_io_handler *handler, uint64_t addr, uint32_t size, uint64_t *p_data) { - uint64_t data = ~0ul; - - switch ( size ) - { - case 1: - data = stdvga_mem_readb(addr); - break; - - case 2: - data = stdvga_mem_readb(addr); - data |= stdvga_mem_readb(addr + 1) << 8; - break; - - case 4: - data = stdvga_mem_readb(addr); - data |= stdvga_mem_readb(addr + 1) << 8; - data |= stdvga_mem_readb(addr + 2) << 16; - data |= (uint32_t)stdvga_mem_readb(addr + 3) << 24; - break; - - case 8: - data = (uint64_t)(stdvga_mem_readb(addr)); - data |= (uint64_t)(stdvga_mem_readb(addr + 1)) << 8; - data |= (uint64_t)(stdvga_mem_readb(addr + 2)) << 16; - data |= (uint64_t)(stdvga_mem_readb(addr + 3)) << 24; - data |= (uint64_t)(stdvga_mem_readb(addr + 4)) << 32; - data |= (uint64_t)(stdvga_mem_readb(addr + 5)) << 40; - data |= (uint64_t)(stdvga_mem_readb(addr + 6)) << 48; - data |= (uint64_t)(stdvga_mem_readb(addr + 7)) << 56; - break; - - default: - gdprintk(XENLOG_WARNING, "invalid io size: %u\n", size); - break; - } - - *p_data = data; - return X86EMUL_OKAY; -} - -static void stdvga_mem_writeb(uint64_t addr, uint32_t val) -{ - struct hvm_hw_stdvga *s = ¤t->domain->arch.hvm.stdvga; - int plane, write_mode, b, func_select, mask; - uint32_t write_mask, bit_mask, set_mask, *vram_l; - uint8_t *vram_b; - - addr = stdvga_mem_offset(s, addr); - if ( addr == ~0u ) - return; - - if ( s->sr[4] & 0x08 ) - { - /* chain 4 mode : simplest access */ - plane = addr & 3; - mask = (1 << plane); - if ( s->sr[2] & mask ) - { - vram_b = vram_getb(s, addr); - *vram_b = val; - vram_put(s, vram_b); - } - } - else if ( s->gr[5] & 0x10 ) - { - /* odd/even mode (aka text mode mapping) */ - plane = (s->gr[4] & 2) | (addr & 1); - mask = (1 << plane); - if ( s->sr[2] & mask ) - { - addr = ((addr & ~1) << 1) | plane; - vram_b = vram_getb(s, addr); - *vram_b = val; - vram_put(s, vram_b); - } - } - else - { - write_mode = s->gr[5] & 3; - switch ( write_mode ) - { - default: - case 0: - /* rotate */ - b = s->gr[3] & 7; - val = ((val >> b) | (val << (8 - b))) & 0xff; - val |= val << 8; - val |= val << 16; - - /* apply set/reset mask */ - set_mask = mask16[s->gr[1]]; - val = (val & ~set_mask) | (mask16[s->gr[0]] & set_mask); - bit_mask = s->gr[8]; - break; - case 1: - val = s->latch; - goto do_write; - case 2: - val = mask16[val & 0x0f]; - bit_mask = s->gr[8]; - break; - case 3: - /* rotate */ - b = s->gr[3] & 7; - val = (val >> b) | (val << (8 - b)); - - bit_mask = s->gr[8] & val; - val = mask16[s->gr[0]]; - break; - } - - /* apply logical operation */ - func_select = s->gr[3] >> 3; - switch ( func_select ) - { - case 0: - default: - /* nothing to do */ - break; - case 1: - /* and */ - val &= s->latch; - break; - case 2: - /* or */ - val |= s->latch; - break; - case 3: - /* xor */ - val ^= s->latch; - break; - } - - /* apply bit mask */ - bit_mask |= bit_mask << 8; - bit_mask |= bit_mask << 16; - val = (val & bit_mask) | (s->latch & ~bit_mask); - - do_write: - /* mask data according to sr[2] */ - mask = s->sr[2]; - write_mask = mask16[mask]; - vram_l = vram_getl(s, addr); - *vram_l = (*vram_l & ~write_mask) | (val & write_mask); - vram_put(s, vram_l); - } + ASSERT_UNREACHABLE(); + *p_data = ~0; + return X86EMUL_UNHANDLEABLE; } static int stdvga_mem_write(const struct hvm_io_handler *handler, @@ -420,47 +150,8 @@ static int stdvga_mem_write(const struct .dir = IOREQ_WRITE, .data = data, }; - struct hvm_ioreq_server *srv; - - goto done; - - /* Intercept mmio write */ - switch ( size ) - { - case 1: - stdvga_mem_writeb(addr, (data >> 0) & 0xff); - break; - - case 2: - stdvga_mem_writeb(addr+0, (data >> 0) & 0xff); - stdvga_mem_writeb(addr+1, (data >> 8) & 0xff); - break; - - case 4: - stdvga_mem_writeb(addr+0, (data >> 0) & 0xff); - stdvga_mem_writeb(addr+1, (data >> 8) & 0xff); - stdvga_mem_writeb(addr+2, (data >> 16) & 0xff); - stdvga_mem_writeb(addr+3, (data >> 24) & 0xff); - break; - - case 8: - stdvga_mem_writeb(addr+0, (data >> 0) & 0xff); - stdvga_mem_writeb(addr+1, (data >> 8) & 0xff); - stdvga_mem_writeb(addr+2, (data >> 16) & 0xff); - stdvga_mem_writeb(addr+3, (data >> 24) & 0xff); - stdvga_mem_writeb(addr+4, (data >> 32) & 0xff); - stdvga_mem_writeb(addr+5, (data >> 40) & 0xff); - stdvga_mem_writeb(addr+6, (data >> 48) & 0xff); - stdvga_mem_writeb(addr+7, (data >> 56) & 0xff); - break; - - default: - gdprintk(XENLOG_WARNING, "invalid io size: %u\n", size); - break; - } + struct hvm_ioreq_server *srv = hvm_select_ioreq_server(current->domain, &p); - done: - srv = hvm_select_ioreq_server(current->domain, &p); if ( !srv ) return X86EMUL_UNHANDLEABLE; Index: xen-4.14.6-testing/xen/include/asm-x86/hvm/io.h =================================================================== --- xen-4.14.6-testing.orig/xen/include/asm-x86/hvm/io.h +++ xen-4.14.6-testing/xen/include/asm-x86/hvm/io.h @@ -142,7 +142,6 @@ struct hvm_hw_stdvga { uint8_t sr[8]; uint8_t gr_index; uint8_t gr[9]; - uint32_t latch; struct page_info *vram_page[64]; /* shadow of 0xa0000-0xaffff */ spinlock_t lock; };
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
