Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / openbmc / 36acd3e888044dea2ac0b2946f15616f968388c9 / . / import-layers / yocto-poky / meta / recipes-devtools / qemu / qemu / CVE-2017-13672.patch
blob: ce0b1ee3ed77dbe0228e402bab8955d0ae5f9ec6 [file] [log] [blame]
Brad Bishopd7bf8c12018-02-25 22:55:05 -0500[diff] [blame]1From 3d90c6254863693a6b13d918d2b8682e08bbc681 Mon Sep 17 00:00:00 2001
2From: Gerd Hoffmann <kraxel@redhat.com>
3Date: Mon, 28 Aug 2017 14:29:06 +0200
4Subject: [PATCH] vga: stop passing pointers to vga_draw_line* functions
5
6Instead pass around the address (aka offset into vga memory).
7Add vga_read_* helper functions which apply vbe_size_mask to
8the address, to make sure the address stays within the valid
9range, similar to the cirrus blitter fixes (commits ffaf857778
10and 026aeffcb4).
11
12Impact: DoS for privileged guest users. qemu crashes with
13a segfault, when hitting the guard page after vga memory
14allocation, while reading vga memory for display updates.
15
16Fixes: CVE-2017-13672
17Cc: P J P <ppandit@redhat.com>
18Reported-by: David Buchanan <d@vidbuchanan.co.uk>
19Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
20Message-id: 20170828122906.18993-1-kraxel@redhat.com
21
22Upstream-Status: Backport
23[https://git.qemu.org/?p=qemu.git;a=commit;h=3d90c6254863693a6b13d918d2b8682e08bbc681]
24
25CVE: CVE-2017-13672
26
27Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
28---
29 hw/display/vga-helpers.h | 202 ++++++++++++++++++++++++++---------------------
30 hw/display/vga.c | 5 +-
31 hw/display/vga_int.h | 1 +
32 3 files changed, 114 insertions(+), 94 deletions(-)
33
34diff --git a/hw/display/vga-helpers.h b/hw/display/vga-helpers.h
35index 94f6de2..5a752b3 100644
36--- a/hw/display/vga-helpers.h
37+++ b/hw/display/vga-helpers.h
38@@ -95,20 +95,46 @@ static void vga_draw_glyph9(uint8_t *d, int linesize,
39 } while (--h);
40 }
41
42+static inline uint8_t vga_read_byte(VGACommonState *vga, uint32_t addr)
43+{
44+ return vga->vram_ptr[addr & vga->vbe_size_mask];
45+}
46+
47+static inline uint16_t vga_read_word_le(VGACommonState *vga, uint32_t addr)
48+{
49+ uint32_t offset = addr & vga->vbe_size_mask & ~1;
50+ uint16_t *ptr = (uint16_t *)(vga->vram_ptr + offset);
51+ return lduw_le_p(ptr);
52+}
53+
54+static inline uint16_t vga_read_word_be(VGACommonState *vga, uint32_t addr)
55+{
56+ uint32_t offset = addr & vga->vbe_size_mask & ~1;
57+ uint16_t *ptr = (uint16_t *)(vga->vram_ptr + offset);
58+ return lduw_be_p(ptr);
59+}
60+
61+static inline uint32_t vga_read_dword_le(VGACommonState *vga, uint32_t addr)
62+{
63+ uint32_t offset = addr & vga->vbe_size_mask & ~3;
64+ uint32_t *ptr = (uint32_t *)(vga->vram_ptr + offset);
65+ return ldl_le_p(ptr);
66+}
67+
68 /*
69 * 4 color mode
70 */
71-static void vga_draw_line2(VGACommonState *s1, uint8_t *d,
72- const uint8_t *s, int width)
73+static void vga_draw_line2(VGACommonState *vga, uint8_t *d,
74+ uint32_t addr, int width)
75 {
76 uint32_t plane_mask, *palette, data, v;
77 int x;
78
79- palette = s1->last_palette;
80- plane_mask = mask16[s1->ar[VGA_ATC_PLANE_ENABLE] & 0xf];
81+ palette = vga->last_palette;
82+ plane_mask = mask16[vga->ar[VGA_ATC_PLANE_ENABLE] & 0xf];
83 width >>= 3;
84 for(x = 0; x < width; x++) {
85- data = ((uint32_t *)s)[0];
86+ data = vga_read_dword_le(vga, addr);
87 data &= plane_mask;
88 v = expand2[GET_PLANE(data, 0)];
89 v |= expand2[GET_PLANE(data, 2)] << 2;
90@@ -124,7 +150,7 @@ static void vga_draw_line2(VGACommonState *s1, uint8_t *d,
91 ((uint32_t *)d)[6] = palette[(v >> 4) & 0xf];
92 ((uint32_t *)d)[7] = palette[(v >> 0) & 0xf];
93 d += 32;
94- s += 4;
95+ addr += 4;
96 }
97 }
98
99@@ -134,17 +160,17 @@ static void vga_draw_line2(VGACommonState *s1, uint8_t *d,
100 /*
101 * 4 color mode, dup2 horizontal
102 */
103-static void vga_draw_line2d2(VGACommonState *s1, uint8_t *d,
104- const uint8_t *s, int width)
105+static void vga_draw_line2d2(VGACommonState *vga, uint8_t *d,
106+ uint32_t addr, int width)
107 {
108 uint32_t plane_mask, *palette, data, v;
109 int x;
110
111- palette = s1->last_palette;
112- plane_mask = mask16[s1->ar[VGA_ATC_PLANE_ENABLE] & 0xf];
113+ palette = vga->last_palette;
114+ plane_mask = mask16[vga->ar[VGA_ATC_PLANE_ENABLE] & 0xf];
115 width >>= 3;
116 for(x = 0; x < width; x++) {
117- data = ((uint32_t *)s)[0];
118+ data = vga_read_dword_le(vga, addr);
119 data &= plane_mask;
120 v = expand2[GET_PLANE(data, 0)];
121 v |= expand2[GET_PLANE(data, 2)] << 2;
122@@ -160,24 +186,24 @@ static void vga_draw_line2d2(VGACommonState *s1, uint8_t *d,
123 PUT_PIXEL2(d, 6, palette[(v >> 4) & 0xf]);
124 PUT_PIXEL2(d, 7, palette[(v >> 0) & 0xf]);
125 d += 64;
126- s += 4;
127+ addr += 4;
128 }
129 }
130
131 /*
132 * 16 color mode
133 */
134-static void vga_draw_line4(VGACommonState *s1, uint8_t *d,
135- const uint8_t *s, int width)
136+static void vga_draw_line4(VGACommonState *vga, uint8_t *d,
137+ uint32_t addr, int width)
138 {
139 uint32_t plane_mask, data, v, *palette;
140 int x;
141
142- palette = s1->last_palette;
143- plane_mask = mask16[s1->ar[VGA_ATC_PLANE_ENABLE] & 0xf];
144+ palette = vga->last_palette;
145+ plane_mask = mask16[vga->ar[VGA_ATC_PLANE_ENABLE] & 0xf];
146 width >>= 3;
147 for(x = 0; x < width; x++) {
148- data = ((uint32_t *)s)[0];
149+ data = vga_read_dword_le(vga, addr);
150 data &= plane_mask;
151 v = expand4[GET_PLANE(data, 0)];
152 v |= expand4[GET_PLANE(data, 1)] << 1;
153@@ -192,24 +218,24 @@ static void vga_draw_line4(VGACommonState *s1, uint8_t *d,
154 ((uint32_t *)d)[6] = palette[(v >> 4) & 0xf];
155 ((uint32_t *)d)[7] = palette[(v >> 0) & 0xf];
156 d += 32;
157- s += 4;
158+ addr += 4;
159 }
160 }
161
162 /*
163 * 16 color mode, dup2 horizontal
164 */
165-static void vga_draw_line4d2(VGACommonState *s1, uint8_t *d,
166- const uint8_t *s, int width)
167+static void vga_draw_line4d2(VGACommonState *vga, uint8_t *d,
168+ uint32_t addr, int width)
169 {
170 uint32_t plane_mask, data, v, *palette;
171 int x;
172
173- palette = s1->last_palette;
174- plane_mask = mask16[s1->ar[VGA_ATC_PLANE_ENABLE] & 0xf];
175+ palette = vga->last_palette;
176+ plane_mask = mask16[vga->ar[VGA_ATC_PLANE_ENABLE] & 0xf];
177 width >>= 3;
178 for(x = 0; x < width; x++) {
179- data = ((uint32_t *)s)[0];
180+ data = vga_read_dword_le(vga, addr);
181 data &= plane_mask;
182 v = expand4[GET_PLANE(data, 0)];
183 v |= expand4[GET_PLANE(data, 1)] << 1;
184@@ -224,7 +250,7 @@ static void vga_draw_line4d2(VGACommonState *s1, uint8_t *d,
185 PUT_PIXEL2(d, 6, palette[(v >> 4) & 0xf]);
186 PUT_PIXEL2(d, 7, palette[(v >> 0) & 0xf]);
187 d += 64;
188- s += 4;
189+ addr += 4;
190 }
191 }
192
193@@ -233,21 +259,21 @@ static void vga_draw_line4d2(VGACommonState *s1, uint8_t *d,
194 *
195 * XXX: add plane_mask support (never used in standard VGA modes)
196 */
197-static void vga_draw_line8d2(VGACommonState *s1, uint8_t *d,
198- const uint8_t *s, int width)
199+static void vga_draw_line8d2(VGACommonState *vga, uint8_t *d,
200+ uint32_t addr, int width)
201 {
202 uint32_t *palette;
203 int x;
204
205- palette = s1->last_palette;
206+ palette = vga->last_palette;
207 width >>= 3;
208 for(x = 0; x < width; x++) {
209- PUT_PIXEL2(d, 0, palette[s[0]]);
210- PUT_PIXEL2(d, 1, palette[s[1]]);
211- PUT_PIXEL2(d, 2, palette[s[2]]);
212- PUT_PIXEL2(d, 3, palette[s[3]]);
213+ PUT_PIXEL2(d, 0, palette[vga_read_byte(vga, addr + 0)]);
214+ PUT_PIXEL2(d, 1, palette[vga_read_byte(vga, addr + 1)]);
215+ PUT_PIXEL2(d, 2, palette[vga_read_byte(vga, addr + 2)]);
216+ PUT_PIXEL2(d, 3, palette[vga_read_byte(vga, addr + 3)]);
217 d += 32;
218- s += 4;
219+ addr += 4;
220 }
221 }
222
223@@ -256,63 +282,63 @@ static void vga_draw_line8d2(VGACommonState *s1, uint8_t *d,
224 *
225 * XXX: add plane_mask support (never used in standard VGA modes)
226 */
227-static void vga_draw_line8(VGACommonState *s1, uint8_t *d,
228- const uint8_t *s, int width)
229+static void vga_draw_line8(VGACommonState *vga, uint8_t *d,
230+ uint32_t addr, int width)
231 {
232 uint32_t *palette;
233 int x;
234
235- palette = s1->last_palette;
236+ palette = vga->last_palette;
237 width >>= 3;
238 for(x = 0; x < width; x++) {
239- ((uint32_t *)d)[0] = palette[s[0]];
240- ((uint32_t *)d)[1] = palette[s[1]];
241- ((uint32_t *)d)[2] = palette[s[2]];
242- ((uint32_t *)d)[3] = palette[s[3]];
243- ((uint32_t *)d)[4] = palette[s[4]];
244- ((uint32_t *)d)[5] = palette[s[5]];
245- ((uint32_t *)d)[6] = palette[s[6]];
246- ((uint32_t *)d)[7] = palette[s[7]];
247+ ((uint32_t *)d)[0] = palette[vga_read_byte(vga, addr + 0)];
248+ ((uint32_t *)d)[1] = palette[vga_read_byte(vga, addr + 1)];
249+ ((uint32_t *)d)[2] = palette[vga_read_byte(vga, addr + 2)];
250+ ((uint32_t *)d)[3] = palette[vga_read_byte(vga, addr + 3)];
251+ ((uint32_t *)d)[4] = palette[vga_read_byte(vga, addr + 4)];
252+ ((uint32_t *)d)[5] = palette[vga_read_byte(vga, addr + 5)];
253+ ((uint32_t *)d)[6] = palette[vga_read_byte(vga, addr + 6)];
254+ ((uint32_t *)d)[7] = palette[vga_read_byte(vga, addr + 7)];
255 d += 32;
256- s += 8;
257+ addr += 8;
258 }
259 }
260
261 /*
262 * 15 bit color
263 */
264-static void vga_draw_line15_le(VGACommonState *s1, uint8_t *d,
265- const uint8_t *s, int width)
266+static void vga_draw_line15_le(VGACommonState *vga, uint8_t *d,
267+ uint32_t addr, int width)
268 {
269 int w;
270 uint32_t v, r, g, b;
271
272 w = width;
273 do {
274- v = lduw_le_p((void *)s);
275+ v = vga_read_word_le(vga, addr);
276 r = (v >> 7) & 0xf8;
277 g = (v >> 2) & 0xf8;
278 b = (v << 3) & 0xf8;
279 ((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b);
280- s += 2;
281+ addr += 2;
282 d += 4;
283 } while (--w != 0);
284 }
285
286-static void vga_draw_line15_be(VGACommonState *s1, uint8_t *d,
287- const uint8_t *s, int width)
288+static void vga_draw_line15_be(VGACommonState *vga, uint8_t *d,
289+ uint32_t addr, int width)
290 {
291 int w;
292 uint32_t v, r, g, b;
293
294 w = width;
295 do {
296- v = lduw_be_p((void *)s);
297+ v = vga_read_word_be(vga, addr);
298 r = (v >> 7) & 0xf8;
299 g = (v >> 2) & 0xf8;
300 b = (v << 3) & 0xf8;
301 ((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b);
302- s += 2;
303+ addr += 2;
304 d += 4;
305 } while (--w != 0);
306 }
307@@ -320,38 +346,38 @@ static void vga_draw_line15_be(VGACommonState *s1, uint8_t *d,
308 /*
309 * 16 bit color
310 */
311-static void vga_draw_line16_le(VGACommonState *s1, uint8_t *d,
312- const uint8_t *s, int width)
313+static void vga_draw_line16_le(VGACommonState *vga, uint8_t *d,
314+ uint32_t addr, int width)
315 {
316 int w;
317 uint32_t v, r, g, b;
318
319 w = width;
320 do {
321- v = lduw_le_p((void *)s);
322+ v = vga_read_word_le(vga, addr);
323 r = (v >> 8) & 0xf8;
324 g = (v >> 3) & 0xfc;
325 b = (v << 3) & 0xf8;
326 ((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b);
327- s += 2;
328+ addr += 2;
329 d += 4;
330 } while (--w != 0);
331 }
332
333-static void vga_draw_line16_be(VGACommonState *s1, uint8_t *d,
334- const uint8_t *s, int width)
335+static void vga_draw_line16_be(VGACommonState *vga, uint8_t *d,
336+ uint32_t addr, int width)
337 {
338 int w;
339 uint32_t v, r, g, b;
340
341 w = width;
342 do {
343- v = lduw_be_p((void *)s);
344+ v = vga_read_word_be(vga, addr);
345 r = (v >> 8) & 0xf8;
346 g = (v >> 3) & 0xfc;
347 b = (v << 3) & 0xf8;
348 ((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b);
349- s += 2;
350+ addr += 2;
351 d += 4;
352 } while (--w != 0);
353 }
354@@ -359,36 +385,36 @@ static void vga_draw_line16_be(VGACommonState *s1, uint8_t *d,
355 /*
356 * 24 bit color
357 */
358-static void vga_draw_line24_le(VGACommonState *s1, uint8_t *d,
359- const uint8_t *s, int width)
360+static void vga_draw_line24_le(VGACommonState *vga, uint8_t *d,
361+ uint32_t addr, int width)
362 {
363 int w;
364 uint32_t r, g, b;
365
366 w = width;
367 do {
368- b = s[0];
369- g = s[1];
370- r = s[2];
371+ b = vga_read_byte(vga, addr + 0);
372+ g = vga_read_byte(vga, addr + 1);
373+ r = vga_read_byte(vga, addr + 2);
374 ((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b);
375- s += 3;
376+ addr += 3;
377 d += 4;
378 } while (--w != 0);
379 }
380
381-static void vga_draw_line24_be(VGACommonState *s1, uint8_t *d,
382- const uint8_t *s, int width)
383+static void vga_draw_line24_be(VGACommonState *vga, uint8_t *d,
384+ uint32_t addr, int width)
385 {
386 int w;
387 uint32_t r, g, b;
388
389 w = width;
390 do {
391- r = s[0];
392- g = s[1];
393- b = s[2];
394+ r = vga_read_byte(vga, addr + 0);
395+ g = vga_read_byte(vga, addr + 1);
396+ b = vga_read_byte(vga, addr + 2);
397 ((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b);
398- s += 3;
399+ addr += 3;
400 d += 4;
401 } while (--w != 0);
402 }
403@@ -396,44 +422,36 @@ static void vga_draw_line24_be(VGACommonState *s1, uint8_t *d,
404 /*
405 * 32 bit color
406 */
407-static void vga_draw_line32_le(VGACommonState *s1, uint8_t *d,
408- const uint8_t *s, int width)
409+static void vga_draw_line32_le(VGACommonState *vga, uint8_t *d,
410+ uint32_t addr, int width)
411 {
412-#ifndef HOST_WORDS_BIGENDIAN
413- memcpy(d, s, width * 4);
414-#else
415 int w;
416 uint32_t r, g, b;
417
418 w = width;
419 do {
420- b = s[0];
421- g = s[1];
422- r = s[2];
423+ b = vga_read_byte(vga, addr + 0);
424+ g = vga_read_byte(vga, addr + 1);
425+ r = vga_read_byte(vga, addr + 2);
426 ((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b);
427- s += 4;
428+ addr += 4;
429 d += 4;
430 } while (--w != 0);
431-#endif
432 }
433
434-static void vga_draw_line32_be(VGACommonState *s1, uint8_t *d,
435- const uint8_t *s, int width)
436+static void vga_draw_line32_be(VGACommonState *vga, uint8_t *d,
437+ uint32_t addr, int width)
438 {
439-#ifdef HOST_WORDS_BIGENDIAN
440- memcpy(d, s, width * 4);
441-#else
442 int w;
443 uint32_t r, g, b;
444
445 w = width;
446 do {
447- r = s[1];
448- g = s[2];
449- b = s[3];
450+ r = vga_read_byte(vga, addr + 1);
451+ g = vga_read_byte(vga, addr + 2);
452+ b = vga_read_byte(vga, addr + 3);
453 ((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b);
454- s += 4;
455+ addr += 4;
456 d += 4;
457 } while (--w != 0);
458-#endif
459 }
460diff --git a/hw/display/vga.c b/hw/display/vga.c
461index ad7a465..6fc8c87 100644
462--- a/hw/display/vga.c
463+++ b/hw/display/vga.c
464@@ -1005,7 +1005,7 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)
465 }
466
467 typedef void vga_draw_line_func(VGACommonState *s1, uint8_t *d,
468- const uint8_t *s, int width);
469+ uint32_t srcaddr, int width);
470
471 #include "vga-helpers.h"
472
473@@ -1666,7 +1666,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
474 if (y_start < 0)
475 y_start = y;
476 if (!(is_buffer_shared(surface))) {
477- vga_draw_line(s, d, s->vram_ptr + addr, width);
478+ vga_draw_line(s, d, addr, width);
479 if (s->cursor_draw_line)
480 s->cursor_draw_line(s, d, y);
481 }
482@@ -2170,6 +2170,7 @@ void vga_common_init(VGACommonState *s, Object *obj, bool global_vmstate)
483 if (!s->vbe_size) {
484 s->vbe_size = s->vram_size;
485 }
486+ s->vbe_size_mask = s->vbe_size - 1;
487
488 s->is_vbe_vmstate = 1;
489 memory_region_init_ram_nomigrate(&s->vram, obj, "vga.vram", s->vram_size,
490diff --git a/hw/display/vga_int.h b/hw/display/vga_int.h
491index dd6c958..ad34a1f 100644
492--- a/hw/display/vga_int.h
493+++ b/hw/display/vga_int.h
494@@ -94,6 +94,7 @@ typedef struct VGACommonState {
495 uint32_t vram_size;
496 uint32_t vram_size_mb; /* property */
497 uint32_t vbe_size;
498+ uint32_t vbe_size_mask;
499 uint32_t latch;
500 bool has_chain4_alias;
501 MemoryRegion chain4_alias;
502--
5032.7.4
504