]>
Commit | Line | Data |
---|---|---|
c53dfb57 | 1 | From b8aa853672ab9e94821a43b6cb2a51d24cb2be8c Mon Sep 17 00:00:00 2001 |
ddbcf45e WB |
2 | From: Gerd Hoffmann <kraxel@redhat.com> |
3 | Date: Fri, 1 Sep 2017 14:57:38 +0200 | |
c53dfb57 | 4 | Subject: [PATCH 11/23] vga: fix display update region calculation (split |
ddbcf45e WB |
5 | screen) |
6 | ||
7 | vga display update mis-calculated the region for the dirty bitmap | |
8 | snapshot in case split screen mode is used. This can trigger an | |
9 | assert in cpu_physical_memory_snapshot_get_dirty(). | |
10 | ||
11 | Impact: DoS for privileged guest users. | |
12 | ||
13 | Fixes: CVE-2017-13673 | |
14 | Fixes: fec5e8c92becad223df9d972770522f64aafdb72 | |
15 | Cc: P J P <ppandit@redhat.com> | |
16 | Reported-by: David Buchanan <d@vidbuchanan.co.uk> | |
17 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | |
18 | Message-id: 20170828123307.15392-1-kraxel@redhat.com | |
19 | --- | |
20 | hw/display/vga.c | 10 ++++++++-- | |
21 | 1 file changed, 8 insertions(+), 2 deletions(-) | |
22 | ||
23 | diff --git a/hw/display/vga.c b/hw/display/vga.c | |
24 | index dcc95f88e2..533d8d7895 100644 | |
25 | --- a/hw/display/vga.c | |
26 | +++ b/hw/display/vga.c | |
27 | @@ -1628,9 +1628,15 @@ static void vga_draw_graphic(VGACommonState *s, int full_update) | |
28 | y1 = 0; | |
29 | ||
30 | if (!full_update) { | |
31 | + ram_addr_t region_start = addr1; | |
32 | + ram_addr_t region_end = addr1 + line_offset * height; | |
33 | vga_sync_dirty_bitmap(s); | |
34 | - snap = memory_region_snapshot_and_clear_dirty(&s->vram, addr1, | |
35 | - line_offset * height, | |
36 | + if (s->line_compare < height) { | |
37 | + /* split screen mode */ | |
38 | + region_start = 0; | |
39 | + } | |
40 | + snap = memory_region_snapshot_and_clear_dirty(&s->vram, region_start, | |
41 | + region_end - region_start, | |
42 | DIRTY_MEMORY_VGA); | |
43 | } | |
44 | ||
45 | -- | |
46 | 2.11.0 | |
47 |