qemu-commits
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-commits] [qemu/qemu] fa06e5: virtio-gpu: fix scanout rectangles


From: GitHub
Subject: [Qemu-commits] [qemu/qemu] fa06e5: virtio-gpu: fix scanout rectangles
Date: Mon, 06 Jun 2016 06:30:05 -0700

  Branch: refs/heads/master
  Home:   https://github.com/qemu/qemu
  Commit: fa06e5cb7b10230e241477b13cb0beefa0d0c91e
      
https://github.com/qemu/qemu/commit/fa06e5cb7b10230e241477b13cb0beefa0d0c91e
  Author: Gerd Hoffmann <address@hidden>
  Date:   2016-06-03 (Fri, 03 Jun 2016)

  Changed paths:
    M hw/display/virtio-gpu.c

  Log Message:
  -----------
  virtio-gpu: fix scanout rectangles

Commit "ca58b45 ui/virtio-gpu: add and use qemu_create_displaysurface_pixman"
breaks scanouts which use a region of the underlying resource only.

So, we need another way to handle the underlying issue.  Lets create a
new pixman image, grab a reference on the pixman providing the
underlying storage, hook up a destroy callback which releases the
reference.  That way regions work again and releasing the backing
storage should still be impossible thanks to the extra reference we are
holding.

Signed-off-by: Gerd Hoffmann <address@hidden>
Reviewed-by: Marc-André Lureau <address@hidden>
Message-id: address@hidden


  Commit: 521360267876d3b6518b328051a2e56bca55bef8
      
https://github.com/qemu/qemu/commit/521360267876d3b6518b328051a2e56bca55bef8
  Author: Gerd Hoffmann <address@hidden>
  Date:   2016-06-06 (Mon, 06 Jun 2016)

  Changed paths:
    M hw/display/vmware_vga.c

  Log Message:
  -----------
  vmsvga: move fifo sanity checks to vmsvga_fifo_length

Sanity checks are applied when the fifo is enabled by the guest
(SVGA_REG_CONFIG_DONE write).  Which doesn't help much if the guest
changes the fifo registers afterwards.  Move the checks to
vmsvga_fifo_length so they are done each time qemu is about to read
from the fifo.

Fixes: CVE-2016-4454
Cc: address@hidden
Cc: P J P <address@hidden>
Reported-by: 李强 <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>
Message-id: address@hidden


  Commit: c2e3c54d3960bc53bfa3a5ce7ea7a050b9be267e
      
https://github.com/qemu/qemu/commit/c2e3c54d3960bc53bfa3a5ce7ea7a050b9be267e
  Author: Gerd Hoffmann <address@hidden>
  Date:   2016-06-06 (Mon, 06 Jun 2016)

  Changed paths:
    M hw/display/vmware_vga.c

  Log Message:
  -----------
  vmsvga: add more fifo checks

Make sure all fifo ptrs are within range.

Fixes: CVE-2016-4454
Cc: address@hidden
Cc: P J P <address@hidden>
Reported-by: 李强 <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>
Message-id: address@hidden


  Commit: 7e486f7577764a07aa35588e119903c80a5c30a2
      
https://github.com/qemu/qemu/commit/7e486f7577764a07aa35588e119903c80a5c30a2
  Author: Gerd Hoffmann <address@hidden>
  Date:   2016-06-06 (Mon, 06 Jun 2016)

  Changed paths:
    M hw/display/vmware_vga.c

  Log Message:
  -----------
  vmsvga: shadow fifo registers

The fifo is normal ram.  So kvm vcpu threads and qemu iothread can
access the fifo in parallel without syncronization.  Which in turn
implies we can't use the fifo pointers in-place because the guest
can try changing them underneath us.  So add shadows for them, to
make sure the guest can't modify them after we've applied sanity
checks.

Fixes: CVE-2016-4454
Cc: address@hidden
Cc: P J P <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>
Message-id: address@hidden


  Commit: 4e68a0ee17dad7b8d870df0081d4ab2e079016c2
      
https://github.com/qemu/qemu/commit/4e68a0ee17dad7b8d870df0081d4ab2e079016c2
  Author: Gerd Hoffmann <address@hidden>
  Date:   2016-06-06 (Mon, 06 Jun 2016)

  Changed paths:
    M hw/display/vmware_vga.c

  Log Message:
  -----------
  vmsvga: don't process more than 1024 fifo commands at once

vmsvga_fifo_run is called in regular intervals (on each display update)
and will resume where it left off.  So we can simply exit the loop,
without having to worry about how processing will continue.

Fixes: CVE-2016-4453
Cc: address@hidden
Cc: P J P <address@hidden>
Reported-by: 李强 <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>
Message-id: address@hidden


  Commit: 0c244e50ee12311037efd507ee37df0e846e4a18
      
https://github.com/qemu/qemu/commit/0c244e50ee12311037efd507ee37df0e846e4a18
  Author: Gerd Hoffmann <address@hidden>
  Date:   2016-06-06 (Mon, 06 Jun 2016)

  Changed paths:
    M hw/display/virtio-gpu-3d.c
    M hw/display/virtio-gpu.c
    M hw/display/virtio-vga.c
    M include/hw/virtio/virtio-gpu.h

  Log Message:
  -----------
  virtio-gpu: add live migration support

Store some additional state for cursor and resource backing storage,
so we can write out and reload things.  Implement vmsave+vmload for
2d mode.  Continue blocking live migration in 3d/virgl mode.

Signed-off-by: Gerd Hoffmann <address@hidden>
Message-id: address@hidden


  Commit: e854d0cf7847e70f5ed5dad5820fc1bbeda6f29e
      
https://github.com/qemu/qemu/commit/e854d0cf7847e70f5ed5dad5820fc1bbeda6f29e
  Author: Peter Maydell <address@hidden>
  Date:   2016-06-06 (Mon, 06 Jun 2016)

  Changed paths:
    M hw/display/virtio-gpu-3d.c
    M hw/display/virtio-gpu.c
    M hw/display/virtio-vga.c
    M hw/display/vmware_vga.c
    M include/hw/virtio/virtio-gpu.h

  Log Message:
  -----------
  Merge remote-tracking branch 'remotes/kraxel/tags/pull-vga-20160606-1' into 
staging

virtio-gpu: scanout fix, live migration support
vmsvga: security fixes

# gpg: Signature made Mon 06 Jun 2016 08:05:00 BST
# gpg:                using RSA key 0x4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <address@hidden>"
# gpg:                 aka "Gerd Hoffmann <address@hidden>"
# gpg:                 aka "Gerd Hoffmann (private) <address@hidden>"

* remotes/kraxel/tags/pull-vga-20160606-1:
  virtio-gpu: add live migration support
  vmsvga: don't process more than 1024 fifo commands at once
  vmsvga: shadow fifo registers
  vmsvga: add more fifo checks
  vmsvga: move fifo sanity checks to vmsvga_fifo_length
  virtio-gpu: fix scanout rectangles

Signed-off-by: Peter Maydell <address@hidden>


Compare: https://github.com/qemu/qemu/compare/890e48d7fc7d...e854d0cf7847

reply via email to

[Prev in Thread] Current Thread [Next in Thread]