[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-commits] [qemu/qemu] e65294: vga: fix display update region calcul
From: |
GitHub |
Subject: |
[Qemu-commits] [qemu/qemu] e65294: vga: fix display update region calculation (split ... |
Date: |
Thu, 14 Sep 2017 05:43:11 -0700 |
Branch: refs/heads/master
Home: https://github.com/qemu/qemu
Commit: e65294157d4b69393b3f819c99f4f647452b48e3
https://github.com/qemu/qemu/commit/e65294157d4b69393b3f819c99f4f647452b48e3
Author: Gerd Hoffmann <address@hidden>
Date: 2017-09-01 (Fri, 01 Sep 2017)
Changed paths:
M hw/display/vga.c
Log Message:
-----------
vga: fix display update region calculation (split screen)
vga display update mis-calculated the region for the dirty bitmap
snapshot in case split screen mode is used. This can trigger an
assert in cpu_physical_memory_snapshot_get_dirty().
Impact: DoS for privileged guest users.
Fixes: CVE-2017-13673
Fixes: fec5e8c92becad223df9d972770522f64aafdb72
Cc: P J P <address@hidden>
Reported-by: David Buchanan <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>
Message-id: address@hidden
Commit: 3d90c6254863693a6b13d918d2b8682e08bbc681
https://github.com/qemu/qemu/commit/3d90c6254863693a6b13d918d2b8682e08bbc681
Author: Gerd Hoffmann <address@hidden>
Date: 2017-09-01 (Fri, 01 Sep 2017)
Changed paths:
M hw/display/vga-helpers.h
M hw/display/vga.c
M hw/display/vga_int.h
Log Message:
-----------
vga: stop passing pointers to vga_draw_line* functions
Instead pass around the address (aka offset into vga memory).
Add vga_read_* helper functions which apply vbe_size_mask to
the address, to make sure the address stays within the valid
range, similar to the cirrus blitter fixes (commits ffaf857778
and 026aeffcb4).
Impact: DoS for privileged guest users. qemu crashes with
a segfault, when hitting the guard page after vga memory
allocation, while reading vga memory for display updates.
Fixes: CVE-2017-13672
Cc: P J P <address@hidden>
Reported-by: David Buchanan <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>
Message-id: address@hidden
Commit: 79c5a10cdda1aed00d7ee4ef87de2ef8c854f4a5
https://github.com/qemu/qemu/commit/79c5a10cdda1aed00d7ee4ef87de2ef8c854f4a5
Author: Gerd Hoffmann <address@hidden>
Date: 2017-09-01 (Fri, 01 Sep 2017)
Changed paths:
M hw/display/qxl-render.c
Log Message:
-----------
qxl: drop mono cursor support
The chunk size sanity check in qxl_render_cursor works for
SPICE_CURSOR_TYPE_ALPHA cursors only. So support for
SPICE_CURSOR_TYPE_MONO cursors must be broken for ages without anyone
noticing. Most likely it simply isn't used any more by guest drivers.
Drop the dead code.
Signed-off-by: Gerd Hoffmann <address@hidden>
Message-id: address@hidden
Commit: b21330b513365a83aa808a27da1ebe53f8f10c3c
https://github.com/qemu/qemu/commit/b21330b513365a83aa808a27da1ebe53f8f10c3c
Author: Gerd Hoffmann <address@hidden>
Date: 2017-09-01 (Fri, 01 Sep 2017)
Changed paths:
M hw/display/qxl-render.c
Log Message:
-----------
qxl: add support for chunked cursors.
Signed-off-by: Gerd Hoffmann <address@hidden>
Message-id: address@hidden
Commit: 138bc2df843105edb22978284fc2e16307f16211
https://github.com/qemu/qemu/commit/138bc2df843105edb22978284fc2e16307f16211
Author: Dr. David Alan Gilbert <address@hidden>
Date: 2017-09-01 (Fri, 01 Sep 2017)
Changed paths:
M hw/display/vga.c
Log Message:
-----------
vga/migration: Update memory map in post_load
After migration the chain4 alias mapping added by 80763888 (in 2011)
might be missing, since there's no call to vga_update_memory_access
in the post_load after the registers are updated. Add it back.
Signed-off-by: Dr. David Alan Gilbert <address@hidden>
Reviewed-by: Juan Quintela <address@hidden>
Message-id: address@hidden
Signed-off-by: Gerd Hoffmann <address@hidden>
Commit: 79d16c21a565927943486b26789caa62413ff371
https://github.com/qemu/qemu/commit/79d16c21a565927943486b26789caa62413ff371
Author: Gerd Hoffmann <address@hidden>
Date: 2017-09-13 (Wed, 13 Sep 2017)
Changed paths:
M hw/display/virtio-gpu.c
Log Message:
-----------
virtio-gpu: don't clear QemuUIInfo information on reset
Don't reset window layout information (passed via virtio_gpu_ui_info) on
device reset, so the user interface window layout will be kept intact
over reboots. The head size and position was commented out already, so
this patch just drops the dead code. Additionally the enabled head mask
must be kept so multihead setups work properly too.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1460595
Signed-off-by: Gerd Hoffmann <address@hidden>
Reviewed-by: Marc-André Lureau <address@hidden>
Message-id: address@hidden
Commit: bcf9e2c0a5f8de395842e034ca15be13d1fc5f90
https://github.com/qemu/qemu/commit/bcf9e2c0a5f8de395842e034ca15be13d1fc5f90
Author: Peter Maydell <address@hidden>
Date: 2017-09-14 (Thu, 14 Sep 2017)
Changed paths:
M hw/display/qxl-render.c
M hw/display/vga-helpers.h
M hw/display/vga.c
M hw/display/vga_int.h
M hw/display/virtio-gpu.c
Log Message:
-----------
Merge remote-tracking branch 'remotes/kraxel/tags/vga-20170913-pull-request'
into staging
vga: bugfixes.
qxl: chunked cursor support.
# gpg: Signature made Wed 13 Sep 2017 08:41:08 BST
# gpg: using RSA key 0x4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <address@hidden>"
# gpg: aka "Gerd Hoffmann <address@hidden>"
# gpg: aka "Gerd Hoffmann (private) <address@hidden>"
# Primary key fingerprint: A032 8CFF B93A 17A7 9901 FE7D 4CB6 D8EE D3E8 7138
* remotes/kraxel/tags/vga-20170913-pull-request:
virtio-gpu: don't clear QemuUIInfo information on reset
vga/migration: Update memory map in post_load
qxl: add support for chunked cursors.
qxl: drop mono cursor support
vga: stop passing pointers to vga_draw_line* functions
vga: fix display update region calculation (split screen)
Signed-off-by: Peter Maydell <address@hidden>
Compare: https://github.com/qemu/qemu/compare/04ef33052c20...bcf9e2c0a5f8
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Qemu-commits] [qemu/qemu] e65294: vga: fix display update region calculation (split ...,
GitHub <=