[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-stable] [PATCH 28/56] vmsvga: shadow fifo registers
From: |
Michael Roth |
Subject: |
[Qemu-stable] [PATCH 28/56] vmsvga: shadow fifo registers |
Date: |
Mon, 8 Aug 2016 16:03:59 -0500 |
From: Gerd Hoffmann <address@hidden>
The fifo is normal ram. So kvm vcpu threads and qemu iothread can
access the fifo in parallel without syncronization. Which in turn
implies we can't use the fifo pointers in-place because the guest
can try changing them underneath us. So add shadows for them, to
make sure the guest can't modify them after we've applied sanity
checks.
Fixes: CVE-2016-4454
Cc: address@hidden
Cc: P J P <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>
Message-id: address@hidden
(cherry picked from commit 7e486f7577764a07aa35588e119903c80a5c30a2)
Signed-off-by: Michael Roth <address@hidden>
---
hw/display/vmware_vga.c | 57 ++++++++++++++++++++++++-------------------------
1 file changed, 28 insertions(+), 29 deletions(-)
diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
index a26e62e..de2567b 100644
--- a/hw/display/vmware_vga.c
+++ b/hw/display/vmware_vga.c
@@ -66,17 +66,11 @@ struct vmsvga_state_s {
uint8_t *fifo_ptr;
unsigned int fifo_size;
- union {
- uint32_t *fifo;
- struct QEMU_PACKED {
- uint32_t min;
- uint32_t max;
- uint32_t next_cmd;
- uint32_t stop;
- /* Add registers here when adding capabilities. */
- uint32_t fifo[0];
- } *cmd;
- };
+ uint32_t *fifo;
+ uint32_t fifo_min;
+ uint32_t fifo_max;
+ uint32_t fifo_next;
+ uint32_t fifo_stop;
#define REDRAW_FIFO_LEN 512
struct vmsvga_rect_s {
@@ -198,7 +192,7 @@ enum {
*/
SVGA_FIFO_MIN = 0,
SVGA_FIFO_MAX, /* The distance from MIN to MAX must be at least 10K */
- SVGA_FIFO_NEXT_CMD,
+ SVGA_FIFO_NEXT,
SVGA_FIFO_STOP,
/*
@@ -546,8 +540,6 @@ static inline void vmsvga_cursor_define(struct
vmsvga_state_s *s,
}
#endif
-#define CMD(f) le32_to_cpu(s->cmd->f)
-
static inline int vmsvga_fifo_length(struct vmsvga_state_s *s)
{
int num;
@@ -556,38 +548,44 @@ static inline int vmsvga_fifo_length(struct
vmsvga_state_s *s)
return 0;
}
+ s->fifo_min = le32_to_cpu(s->fifo[SVGA_FIFO_MIN]);
+ s->fifo_max = le32_to_cpu(s->fifo[SVGA_FIFO_MAX]);
+ s->fifo_next = le32_to_cpu(s->fifo[SVGA_FIFO_NEXT]);
+ s->fifo_stop = le32_to_cpu(s->fifo[SVGA_FIFO_STOP]);
+
/* Check range and alignment. */
- if ((CMD(min) | CMD(max) | CMD(next_cmd) | CMD(stop)) & 3) {
+ if ((s->fifo_min | s->fifo_max | s->fifo_next | s->fifo_stop) & 3) {
return 0;
}
- if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) {
+ if (s->fifo_min < sizeof(uint32_t) * 4) {
return 0;
}
- if (CMD(max) > SVGA_FIFO_SIZE ||
- CMD(min) >= SVGA_FIFO_SIZE ||
- CMD(stop) >= SVGA_FIFO_SIZE ||
- CMD(next_cmd) >= SVGA_FIFO_SIZE) {
+ if (s->fifo_max > SVGA_FIFO_SIZE ||
+ s->fifo_min >= SVGA_FIFO_SIZE ||
+ s->fifo_stop >= SVGA_FIFO_SIZE ||
+ s->fifo_next >= SVGA_FIFO_SIZE) {
return 0;
}
- if (CMD(max) < CMD(min) + 10 * 1024) {
+ if (s->fifo_max < s->fifo_min + 10 * 1024) {
return 0;
}
- num = CMD(next_cmd) - CMD(stop);
+ num = s->fifo_next - s->fifo_stop;
if (num < 0) {
- num += CMD(max) - CMD(min);
+ num += s->fifo_max - s->fifo_min;
}
return num >> 2;
}
static inline uint32_t vmsvga_fifo_read_raw(struct vmsvga_state_s *s)
{
- uint32_t cmd = s->fifo[CMD(stop) >> 2];
+ uint32_t cmd = s->fifo[s->fifo_stop >> 2];
- s->cmd->stop = cpu_to_le32(CMD(stop) + 4);
- if (CMD(stop) >= CMD(max)) {
- s->cmd->stop = s->cmd->min;
+ s->fifo_stop += 4;
+ if (s->fifo_stop >= s->fifo_max) {
+ s->fifo_stop = s->fifo_min;
}
+ s->fifo[SVGA_FIFO_STOP] = cpu_to_le32(s->fifo_stop);
return cmd;
}
@@ -607,7 +605,7 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
len = vmsvga_fifo_length(s);
while (len > 0) {
/* May need to go back to the start of the command if incomplete */
- cmd_start = s->cmd->stop;
+ cmd_start = s->fifo_stop;
switch (cmd = vmsvga_fifo_read(s)) {
case SVGA_CMD_UPDATE:
@@ -766,7 +764,8 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
break;
rewind:
- s->cmd->stop = cmd_start;
+ s->fifo_stop = cmd_start;
+ s->fifo[SVGA_FIFO_STOP] = cpu_to_le32(s->fifo_stop);
break;
}
}
--
1.9.1
- [Qemu-stable] [PATCH 24/56] scsi: mptsas: infinite loop while fetching requests, (continued)
- [Qemu-stable] [PATCH 24/56] scsi: mptsas: infinite loop while fetching requests, Michael Roth, 2016/08/08
- [Qemu-stable] [PATCH 21/56] savevm: fail if migration blockers are present, Michael Roth, 2016/08/08
- [Qemu-stable] [PATCH 23/56] scsi: pvscsi: check command descriptor ring buffer size (CVE-2016-4952), Michael Roth, 2016/08/08
- [Qemu-stable] [PATCH 26/56] vmsvga: move fifo sanity checks to vmsvga_fifo_length, Michael Roth, 2016/08/08
- [Qemu-stable] [PATCH 30/56] io: remove mistaken call to object_ref on QTask, Michael Roth, 2016/08/08
- [Qemu-stable] [PATCH 33/56] backup: Don't leak BackupBlockJob in error path, Michael Roth, 2016/08/08
- [Qemu-stable] [PATCH 31/56] ui: fix regression in printing VNC host/port on startup, Michael Roth, 2016/08/08
- [Qemu-stable] [PATCH 29/56] vmsvga: don't process more than 1024 fifo commands at once, Michael Roth, 2016/08/08
- [Qemu-stable] [PATCH 25/56] block: Drop bdrv_ioctl_bh_cb, Michael Roth, 2016/08/08
- [Qemu-stable] [PATCH 27/56] vmsvga: add more fifo checks, Michael Roth, 2016/08/08
- [Qemu-stable] [PATCH 28/56] vmsvga: shadow fifo registers,
Michael Roth <=
- [Qemu-stable] [PATCH 02/56] spice/gl: add & use qemu_spice_gl_monitor_config, Michael Roth, 2016/08/08
- [Qemu-stable] [PATCH 34/56] qcow2: Avoid making the L1 table too big, Michael Roth, 2016/08/08
- [Qemu-stable] [PATCH 32/56] net: fix qemu_announce_self not emitting packets, Michael Roth, 2016/08/08
- [Qemu-stable] [PATCH 35/56] qapi: Fix crash on missing alternate member of QAPI struct, Michael Roth, 2016/08/08
- [Qemu-stable] [PATCH 36/56] pci-assign: Move "Invalid ROM" error message to pci-assign-load-rom.c, Michael Roth, 2016/08/08
- [Qemu-stable] [PATCH 37/56] vfio/pci: Fix VGA quirks, Michael Roth, 2016/08/08
- [Qemu-stable] [PATCH 38/56] nbd: Allow larger requests, Michael Roth, 2016/08/08
- [Qemu-stable] [PATCH 39/56] scsi-generic: Merge block max xfer len in INQUIRY response, Michael Roth, 2016/08/08
- [Qemu-stable] [PATCH 40/56] scsi: Advertise limits by blocksize, not 512, Michael Roth, 2016/08/08
- [Qemu-stable] [PATCH 41/56] target-sparc: fix register corruption in ldstub if there is no write permission, Michael Roth, 2016/08/08