[pve-qemu.git] / debian / patches / extra / 0011-vga-fix-display-update-region-calculation-split-scre.patch

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Fri, 1 Sep 2017 14:57:38 +0200
Subject: [PATCH] vga: fix display update region calculation (split screen)

vga display update mis-calculated the region for the dirty bitmap
snapshot in case split screen mode is used.  This can trigger an
assert in cpu_physical_memory_snapshot_get_dirty().

Impact:  DoS for privileged guest users.

Fixes: CVE-2017-13673
Fixes: fec5e8c92becad223df9d972770522f64aafdb72
Cc: P J P <ppandit@redhat.com>
Reported-by: David Buchanan <d@vidbuchanan.co.uk>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 20170828123307.15392-1-kraxel@redhat.com
---
 hw/display/vga.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/hw/display/vga.c b/hw/display/vga.c
index dcc95f88e2..533d8d7895 100644
--- a/hw/display/vga.c
+++ b/hw/display/vga.c
@@ -1628,9 +1628,15 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
     y1 = 0;
 
     if (!full_update) {
+        ram_addr_t region_start = addr1;
+        ram_addr_t region_end = addr1 + line_offset * height;
         vga_sync_dirty_bitmap(s);
-        snap = memory_region_snapshot_and_clear_dirty(&s->vram, addr1,
-                                                      line_offset * height,
+        if (s->line_compare < height) {
+            /* split screen mode */
+            region_start = 0;
+        }
+        snap = memory_region_snapshot_and_clear_dirty(&s->vram, region_start,
+                                                      region_end - region_start,
                                                       DIRTY_MEMORY_VGA);
     }
 
-- 
2.11.0
Commit	Line	Data
3dcc8d3b	1	From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
ddbcf45e WB	2	From: Gerd Hoffmann <kraxel@redhat.com>
ddbcf45e WB	3	Date: Fri, 1 Sep 2017 14:57:38 +0200
3dcc8d3b	4	Subject: [PATCH] vga: fix display update region calculation (split screen)
ddbcf45e WB	5
	6	vga display update mis-calculated the region for the dirty bitmap
	7	snapshot in case split screen mode is used. This can trigger an
	8	assert in cpu_physical_memory_snapshot_get_dirty().
	9
	10	Impact: DoS for privileged guest users.
	11
	12	Fixes: CVE-2017-13673
	13	Fixes: fec5e8c92becad223df9d972770522f64aafdb72
	14	Cc: P J P <ppandit@redhat.com>
	15	Reported-by: David Buchanan <d@vidbuchanan.co.uk>
	16	Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
	17	Message-id: 20170828123307.15392-1-kraxel@redhat.com
	18	---
	19	hw/display/vga.c \| 10 ++++++++--
	20	1 file changed, 8 insertions(+), 2 deletions(-)
	21
	22	diff --git a/hw/display/vga.c b/hw/display/vga.c
	23	index dcc95f88e2..533d8d7895 100644
	24	--- a/hw/display/vga.c
	25	+++ b/hw/display/vga.c
	26	@@ -1628,9 +1628,15 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
	27	y1 = 0;
	28
	29	if (!full_update) {
	30	+ ram_addr_t region_start = addr1;
	31	+ ram_addr_t region_end = addr1 + line_offset * height;
	32	vga_sync_dirty_bitmap(s);
	33	- snap = memory_region_snapshot_and_clear_dirty(&s->vram, addr1,
	34	- line_offset * height,
	35	+ if (s->line_compare < height) {
	36	+ /* split screen mode */
	37	+ region_start = 0;
	38	+ }
	39	+ snap = memory_region_snapshot_and_clear_dirty(&s->vram, region_start,
	40	+ region_end - region_start,
	41	DIRTY_MEMORY_VGA);
	42	}
	43
	44	--
	45	2.11.0
	46