[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[RFC PATCH-for-7.2 0/4] hw/display/qxl: Avoid buffer overrun in qxl_phys
|
From: |
Philippe Mathieu-Daudé |
|
Subject: |
[RFC PATCH-for-7.2 0/4] hw/display/qxl: Avoid buffer overrun in qxl_phys2virt() |
|
Date: |
Fri, 25 Nov 2022 16:40:26 +0100 |
memory_region_get_ram_ptr() returns a host pointer for a
MemoryRegion. Sometimes we do offset calculation using this
pointer without checking the underlying MemoryRegion size.
Wenxu Yin reported a buffer overrun in QXL. This series
aims to fix it. I haven't audited the other _get_ram_ptr()
uses (yet). Eventually we could rename it _get_ram_ptr_unsafe
and add a safer helper which checks for overrun.
Worth considering for 7.2?
Regards,
Phil.
Philippe Mathieu-Daudé (4):
hw/display/qxl: Have qxl_log_command Return early if no log_cmd
handler
hw/display/qxl: Document qxl_phys2virt()
hw/display/qxl: Pass qxl_phys2virt size
hw/display/qxl: Avoid buffer overrun in qxl_phys2virt()
hw/display/qxl-logger.c | 22 +++++++++++++++++++---
hw/display/qxl-render.c | 11 +++++++----
hw/display/qxl.c | 25 +++++++++++++++++++------
hw/display/qxl.h | 23 ++++++++++++++++++++++-
4 files changed, 67 insertions(+), 14 deletions(-)
--
2.38.1
- [RFC PATCH-for-7.2 0/4] hw/display/qxl: Avoid buffer overrun in qxl_phys2virt(),
Philippe Mathieu-Daudé <=
- [RFC PATCH-for-7.2 1/4] hw/display/qxl: Have qxl_log_command Return early if no log_cmd handler, Philippe Mathieu-Daudé, 2022/11/25
- [RFC PATCH-for-7.2 2/4] hw/display/qxl: Document qxl_phys2virt(), Philippe Mathieu-Daudé, 2022/11/25
- Re: [RFC PATCH-for-7.2 0/4] hw/display/qxl: Avoid buffer overrun in qxl_phys2virt(), Mauro Matteo Cascella, 2022/11/25
- [RFC PATCH-for-7.2 3/4] hw/display/qxl: Pass requested buffer size to qxl_phys2virt(), Philippe Mathieu-Daudé, 2022/11/25
- Re: [RFC PATCH-for-7.2 3/4] hw/display/qxl: Pass requested buffer size to qxl_phys2virt(), Marc-André Lureau, 2022/11/28