]>
Commit | Line | Data |
---|---|---|
c42c90e6 WB |
1 | From 391a9e6fd8c6cf615f2ffe44bb85245df52cc2b6 Mon Sep 17 00:00:00 2001 |
2 | From: Gerd Hoffmann <kraxel@redhat.com> | |
3 | Date: Thu, 9 Feb 2017 14:02:20 +0100 | |
4 | Subject: [PATCH 1/2] cirrus: fix patterncopy checks | |
5 | ||
6 | The blit_region_is_unsafe checks don't work correctly for the | |
7 | patterncopy source. It's a fixed-sized region, which doesn't | |
8 | depend on cirrus_blt_{width,height}. So go do the check in | |
9 | cirrus_bitblt_common_patterncopy instead, then tell blit_is_unsafe that | |
10 | it doesn't need to verify the source. Also handle the case where we | |
11 | blit from cirrus_bitbuf correctly. | |
12 | ||
13 | This patch replaces 5858dd1801883309bdd208d72ddb81c4e9fee30c. | |
14 | ||
15 | Security impact: I think for the most part error on the safe side this | |
16 | time, refusing blits which should have been allowed. | |
17 | ||
18 | Only exception is placing the blit source at the end of the video ram, | |
19 | so cirrus_blt_srcaddr + 256 goes beyond the end of video memory. But | |
20 | even in that case I'm not fully sure this actually allows read access to | |
21 | host memory. To trick the commit 5858dd18 security checks one has to | |
22 | pick very small cirrus_blt_{width,height} values, which in turn implies | |
23 | only a fraction of the blit source will actually be used. | |
24 | ||
25 | Cc: Wolfgang Bumiller <w.bumiller@proxmox.com> | |
26 | Cc: Dr. David Alan Gilbert <dgilbert@redhat.com> | |
27 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | |
28 | --- | |
29 | hw/display/cirrus_vga.c | 36 ++++++++++++++++++++++++++++++------ | |
30 | 1 file changed, 30 insertions(+), 6 deletions(-) | |
31 | ||
32 | diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c | |
33 | index 16f27e8..6bd13fc 100644 | |
34 | --- a/hw/display/cirrus_vga.c | |
35 | +++ b/hw/display/cirrus_vga.c | |
36 | @@ -683,14 +683,39 @@ static void cirrus_invalidate_region(CirrusVGAState * s, int off_begin, | |
37 | } | |
38 | } | |
39 | ||
40 | -static int cirrus_bitblt_common_patterncopy(CirrusVGAState * s, | |
41 | - const uint8_t * src) | |
42 | +static int cirrus_bitblt_common_patterncopy(CirrusVGAState *s, bool videosrc) | |
43 | { | |
44 | + uint32_t patternsize; | |
45 | uint8_t *dst; | |
46 | + uint8_t *src; | |
47 | ||
48 | dst = s->vga.vram_ptr + s->cirrus_blt_dstaddr; | |
49 | ||
50 | - if (blit_is_unsafe(s, false, true)) { | |
51 | + if (videosrc) { | |
52 | + switch (s->vga.get_bpp(&s->vga)) { | |
53 | + case 8: | |
54 | + patternsize = 64; | |
55 | + break; | |
56 | + case 15: | |
57 | + case 16: | |
58 | + patternsize = 128; | |
59 | + break; | |
60 | + case 24: | |
61 | + case 32: | |
62 | + default: | |
63 | + patternsize = 256; | |
64 | + break; | |
65 | + } | |
66 | + s->cirrus_blt_srcaddr &= ~(patternsize - 1); | |
67 | + if (s->cirrus_blt_srcaddr + patternsize > s->vga.vram_size) { | |
68 | + return 0; | |
69 | + } | |
70 | + src = s->vga.vram_ptr + s->cirrus_blt_srcaddr; | |
71 | + } else { | |
72 | + src = s->cirrus_bltbuf; | |
73 | + } | |
74 | + | |
75 | + if (blit_is_unsafe(s, true, true)) { | |
76 | return 0; | |
77 | } | |
78 | ||
79 | @@ -731,8 +756,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop) | |
80 | ||
81 | static int cirrus_bitblt_videotovideo_patterncopy(CirrusVGAState * s) | |
82 | { | |
83 | - return cirrus_bitblt_common_patterncopy(s, s->vga.vram_ptr + | |
84 | - (s->cirrus_blt_srcaddr & ~7)); | |
85 | + return cirrus_bitblt_common_patterncopy(s, true); | |
86 | } | |
87 | ||
88 | static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h) | |
89 | @@ -831,7 +855,7 @@ static void cirrus_bitblt_cputovideo_next(CirrusVGAState * s) | |
90 | ||
91 | if (s->cirrus_srccounter > 0) { | |
92 | if (s->cirrus_blt_mode & CIRRUS_BLTMODE_PATTERNCOPY) { | |
93 | - cirrus_bitblt_common_patterncopy(s, s->cirrus_bltbuf); | |
94 | + cirrus_bitblt_common_patterncopy(s, false); | |
95 | the_end: | |
96 | s->cirrus_srccounter = 0; | |
97 | cirrus_bitblt_reset(s); | |
98 | -- | |
99 | 2.1.4 | |
100 |