[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH 29/56] vmsvga: don't process more than 1024 fifo com
From: |
Michael Roth |
Subject: |
[Qemu-devel] [PATCH 29/56] vmsvga: don't process more than 1024 fifo commands at once |
Date: |
Mon, 8 Aug 2016 16:04:00 -0500 |
From: Gerd Hoffmann <address@hidden>
vmsvga_fifo_run is called in regular intervals (on each display update)
and will resume where it left off. So we can simply exit the loop,
without having to worry about how processing will continue.
Fixes: CVE-2016-4453
Cc: address@hidden
Cc: P J P <address@hidden>
Reported-by: 李强 <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>
Message-id: address@hidden
(cherry picked from commit 4e68a0ee17dad7b8d870df0081d4ab2e079016c2)
Signed-off-by: Michael Roth <address@hidden>
---
hw/display/vmware_vga.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
index de2567b..e51a05e 100644
--- a/hw/display/vmware_vga.c
+++ b/hw/display/vmware_vga.c
@@ -597,13 +597,13 @@ static inline uint32_t vmsvga_fifo_read(struct
vmsvga_state_s *s)
static void vmsvga_fifo_run(struct vmsvga_state_s *s)
{
uint32_t cmd, colour;
- int args, len;
+ int args, len, maxloop = 1024;
int x, y, dx, dy, width, height;
struct vmsvga_cursor_definition_s cursor;
uint32_t cmd_start;
len = vmsvga_fifo_length(s);
- while (len > 0) {
+ while (len > 0 && --maxloop > 0) {
/* May need to go back to the start of the command if incomplete */
cmd_start = s->fifo_stop;
--
1.9.1
- [Qemu-devel] [PATCH 22/56] Fix configure test for PBKDF2 in nettle, (continued)
- [Qemu-devel] [PATCH 22/56] Fix configure test for PBKDF2 in nettle, Michael Roth, 2016/08/08
- [Qemu-devel] [PATCH 18/56] vfio: Fix broken EEH, Michael Roth, 2016/08/08
- [Qemu-devel] [PATCH 20/56] nbd: Don't trim unrequested bytes, Michael Roth, 2016/08/08
- [Qemu-devel] [PATCH 01/56] i386: kvmvapic: initialise imm32 variable, Michael Roth, 2016/08/08
- [Qemu-devel] [PATCH 19/56] block/iscsi: avoid potential overflow of acb->task->cdb, Michael Roth, 2016/08/08
- [Qemu-devel] [PATCH 27/56] vmsvga: add more fifo checks, Michael Roth, 2016/08/08
- [Qemu-devel] [PATCH 21/56] savevm: fail if migration blockers are present, Michael Roth, 2016/08/08
- [Qemu-devel] [PATCH 24/56] scsi: mptsas: infinite loop while fetching requests, Michael Roth, 2016/08/08
- [Qemu-devel] [PATCH 30/56] io: remove mistaken call to object_ref on QTask, Michael Roth, 2016/08/08
- [Qemu-devel] [PATCH 23/56] scsi: pvscsi: check command descriptor ring buffer size (CVE-2016-4952), Michael Roth, 2016/08/08
- [Qemu-devel] [PATCH 29/56] vmsvga: don't process more than 1024 fifo commands at once,
Michael Roth <=
- [Qemu-devel] [PATCH 31/56] ui: fix regression in printing VNC host/port on startup, Michael Roth, 2016/08/08
- [Qemu-devel] [PATCH 32/56] net: fix qemu_announce_self not emitting packets, Michael Roth, 2016/08/08
- [Qemu-devel] [PATCH 25/56] block: Drop bdrv_ioctl_bh_cb, Michael Roth, 2016/08/08
- [Qemu-devel] [PATCH 26/56] vmsvga: move fifo sanity checks to vmsvga_fifo_length, Michael Roth, 2016/08/08
- [Qemu-devel] [PATCH 02/56] spice/gl: add & use qemu_spice_gl_monitor_config, Michael Roth, 2016/08/08
- [Qemu-devel] [PATCH 28/56] vmsvga: shadow fifo registers, Michael Roth, 2016/08/08
- [Qemu-devel] [PATCH 34/56] qcow2: Avoid making the L1 table too big, Michael Roth, 2016/08/08
- [Qemu-devel] [PATCH 33/56] backup: Don't leak BackupBlockJob in error path, Michael Roth, 2016/08/08
- [Qemu-devel] [PATCH 35/56] qapi: Fix crash on missing alternate member of QAPI struct, Michael Roth, 2016/08/08
- [Qemu-devel] [PATCH 36/56] pci-assign: Move "Invalid ROM" error message to pci-assign-load-rom.c, Michael Roth, 2016/08/08