[Qemu-commits] [qemu/qemu] a1f7ef: hw/display/qxl: Have qxl_log

qemu-commits

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-commits] [qemu/qemu] a1f7ef: hw/display/qxl: Have qxl_log_command

From:	Paolo Bonzini
Subject:	[Qemu-commits] [qemu/qemu] a1f7ef: hw/display/qxl: Have qxl_log_command Return early ...
Date:	Tue, 29 Nov 2022 11:28:19 -0800

  Branch: refs/heads/staging
  Home:   https://github.com/qemu/qemu
  Commit: a1f7efd283c1852407f5f28b20032d0a7c6f0f65
      
https://github.com/qemu/qemu/commit/a1f7efd283c1852407f5f28b20032d0a7c6f0f65
  Author: Philippe Mathieu-Daudé <philmd@linaro.org>
  Date:   2022-11-29 (Tue, 29 Nov 2022)

  Changed paths:
    M hw/display/qxl-logger.c

  Log Message:
  -----------
  hw/display/qxl: Have qxl_log_command Return early if no log_cmd handler

Only 3 command types are logged: no need to call qxl_phys2virt()
for the other types. Using different cases will help to pass
different structure sizes to qxl_phys2virt() in a pair of commits.

Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-Id: <20221128202741.4945-2-philmd@linaro.org>


  Commit: bf7f31561f1bfde327a6aec5b3417640cbf5407c
      
https://github.com/qemu/qemu/commit/bf7f31561f1bfde327a6aec5b3417640cbf5407c
  Author: Philippe Mathieu-Daudé <philmd@linaro.org>
  Date:   2022-11-29 (Tue, 29 Nov 2022)

  Changed paths:
    M hw/display/qxl.h

  Log Message:
  -----------
  hw/display/qxl: Document qxl_phys2virt()

Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-Id: <20221128202741.4945-3-philmd@linaro.org>


  Commit: e31bba09d5ca7a2493ed10746bfeb21c8ad62663
      
https://github.com/qemu/qemu/commit/e31bba09d5ca7a2493ed10746bfeb21c8ad62663
  Author: Philippe Mathieu-Daudé <philmd@linaro.org>
  Date:   2022-11-29 (Tue, 29 Nov 2022)

  Changed paths:
    M hw/display/qxl-logger.c
    M hw/display/qxl-render.c
    M hw/display/qxl.c
    M hw/display/qxl.h

  Log Message:
  -----------
  hw/display/qxl: Pass requested buffer size to qxl_phys2virt()

Currently qxl_phys2virt() doesn't check for buffer overrun.
In order to do so in the next commit, pass the buffer size
as argument.

For QXLCursor in qxl_render_cursor() -> qxl_cursor() we
verify the size of the chunked data ahead, checking we can
access 'sizeof(QXLCursor) + chunk->data_size' bytes.
Since in the SPICE_CURSOR_TYPE_MONO case the cursor is
assumed to fit in one chunk, no change are required.
In SPICE_CURSOR_TYPE_ALPHA the ahead read is handled in
qxl_unpack_chunks().

Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-Id: <20221128202741.4945-4-philmd@linaro.org>


  Commit: dcc6cef5c2ceb7347b866a3cf148a5c93cb7b608
      
https://github.com/qemu/qemu/commit/dcc6cef5c2ceb7347b866a3cf148a5c93cb7b608
  Author: Philippe Mathieu-Daudé <philmd@linaro.org>
  Date:   2022-11-29 (Tue, 29 Nov 2022)

  Changed paths:
    M hw/display/qxl.c
    M hw/display/qxl.h

  Log Message:
  -----------
  hw/display/qxl: Avoid buffer overrun in qxl_phys2virt (CVE-2022-4144)

Have qxl_get_check_slot_offset() return false if the requested
buffer size does not fit within the slot memory region.

Similarly qxl_phys2virt() now returns NULL in such case, and
qxl_dirty_one_surface() aborts.

This avoids buffer overrun in the host pointer returned by
memory_region_get_ram_ptr().

Fixes: CVE-2022-4144 (out-of-bounds read)
Reported-by: Wenxu Yin (@awxylitol)
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1336
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-Id: <20221128202741.4945-5-philmd@linaro.org>


  Commit: d8f82b5f08921d8dfeb0aae8c826a21a001d703b
      
https://github.com/qemu/qemu/commit/d8f82b5f08921d8dfeb0aae8c826a21a001d703b
  Author: Philippe Mathieu-Daudé <philmd@linaro.org>
  Date:   2022-11-29 (Tue, 29 Nov 2022)

  Changed paths:
    M hw/display/qxl.c

  Log Message:
  -----------
  hw/display/qxl: Assert memory slot fits in preallocated MemoryRegion

Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-Id: <20221128202741.4945-6-philmd@linaro.org>


  Commit: abcf39c456f5a7e0a16b3535672a79b3eeda936f
      
https://github.com/qemu/qemu/commit/abcf39c456f5a7e0a16b3535672a79b3eeda936f
  Author: Stefan Hajnoczi <stefanha@redhat.com>
  Date:   2022-11-29 (Tue, 29 Nov 2022)

  Changed paths:
    M VERSION

  Log Message:
  -----------
  Update VERSION for v7.2.0-rc3

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>


Compare: https://github.com/qemu/qemu/compare/ecbb6bd865d2...abcf39c456f5

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-commits] [qemu/qemu] a1f7ef: hw/display/qxl: Have qxl_log_command Return early ..., Paolo Bonzini <=

Prev by Date: [Qemu-commits] [qemu/qemu] ab1b2b: update seabios source from 1.16.0 to 1.16.1
Next by Date: [Qemu-commits] [qemu/qemu] a8ee39: update seabios source from 1.16.0 to 1.16.1
Previous by thread: [Qemu-commits] [qemu/qemu] ab1b2b: update seabios source from 1.16.0 to 1.16.1
Next by thread: [Qemu-commits] [qemu/qemu] a8ee39: update seabios source from 1.16.0 to 1.16.1
Index(es):
- Date
- Thread