[pve-qemu.git] / debian / patches / extra / 0011-vga-fix-display-update-region-calculation-split-scre.patch

From b8aa853672ab9e94821a43b6cb2a51d24cb2be8c Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Fri, 1 Sep 2017 14:57:38 +0200
Subject: [PATCH 11/23] vga: fix display update region calculation (split
 screen)

vga display update mis-calculated the region for the dirty bitmap
snapshot in case split screen mode is used.  This can trigger an
assert in cpu_physical_memory_snapshot_get_dirty().

Impact:  DoS for privileged guest users.

Fixes: CVE-2017-13673
Fixes: fec5e8c92becad223df9d972770522f64aafdb72
Cc: P J P <ppandit@redhat.com>
Reported-by: David Buchanan <d@vidbuchanan.co.uk>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 20170828123307.15392-1-kraxel@redhat.com
---
 hw/display/vga.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/hw/display/vga.c b/hw/display/vga.c
index dcc95f88e2..533d8d7895 100644
--- a/hw/display/vga.c
+++ b/hw/display/vga.c
@@ -1628,9 +1628,15 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
     y1 = 0;
 
     if (!full_update) {
+        ram_addr_t region_start = addr1;
+        ram_addr_t region_end = addr1 + line_offset * height;
         vga_sync_dirty_bitmap(s);
-        snap = memory_region_snapshot_and_clear_dirty(&s->vram, addr1,
-                                                      line_offset * height,
+        if (s->line_compare < height) {
+            /* split screen mode */
+            region_start = 0;
+        }
+        snap = memory_region_snapshot_and_clear_dirty(&s->vram, region_start,
+                                                      region_end - region_start,
                                                       DIRTY_MEMORY_VGA);
     }
 
-- 
2.11.0
Commit	Line	Data
c53dfb57	1	From b8aa853672ab9e94821a43b6cb2a51d24cb2be8c Mon Sep 17 00:00:00 2001
ddbcf45e WB	2	From: Gerd Hoffmann <kraxel@redhat.com>
ddbcf45e WB	3	Date: Fri, 1 Sep 2017 14:57:38 +0200
c53dfb57	4	Subject: [PATCH 11/23] vga: fix display update region calculation (split
ddbcf45e WB	5	screen)
	6
	7	vga display update mis-calculated the region for the dirty bitmap
	8	snapshot in case split screen mode is used. This can trigger an
	9	assert in cpu_physical_memory_snapshot_get_dirty().
	10
	11	Impact: DoS for privileged guest users.
	12
	13	Fixes: CVE-2017-13673
	14	Fixes: fec5e8c92becad223df9d972770522f64aafdb72
	15	Cc: P J P <ppandit@redhat.com>
	16	Reported-by: David Buchanan <d@vidbuchanan.co.uk>
	17	Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
	18	Message-id: 20170828123307.15392-1-kraxel@redhat.com
	19	---
	20	hw/display/vga.c \| 10 ++++++++--
	21	1 file changed, 8 insertions(+), 2 deletions(-)
	22
	23	diff --git a/hw/display/vga.c b/hw/display/vga.c
	24	index dcc95f88e2..533d8d7895 100644
	25	--- a/hw/display/vga.c
	26	+++ b/hw/display/vga.c
	27	@@ -1628,9 +1628,15 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
	28	y1 = 0;
	29
	30	if (!full_update) {
	31	+ ram_addr_t region_start = addr1;
	32	+ ram_addr_t region_end = addr1 + line_offset * height;
	33	vga_sync_dirty_bitmap(s);
	34	- snap = memory_region_snapshot_and_clear_dirty(&s->vram, addr1,
	35	- line_offset * height,
	36	+ if (s->line_compare < height) {
	37	+ /* split screen mode */
	38	+ region_start = 0;
	39	+ }
	40	+ snap = memory_region_snapshot_and_clear_dirty(&s->vram, region_start,
	41	+ region_end - region_start,
	42	DIRTY_MEMORY_VGA);
	43	}
	44
	45	--
	46	2.11.0
	47