qemu-commits
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-commits] [qemu/qemu] bba4e1: ui/curses.c: Ensure we don't read off

From: GitHub
Subject: [Qemu-commits] [qemu/qemu] bba4e1: ui/curses.c: Ensure we don't read off the end of c...
Date: Tue, 13 Sep 2016 06:00:06 -0700 
  Branch: refs/heads/master
  Home:   https://github.com/qemu/qemu
  Commit: bba4e1b591531c087fce4ae501dc1ca299d8fb42
      
https://github.com/qemu/qemu/commit/bba4e1b591531c087fce4ae501dc1ca299d8fb42
  Author: Peter Maydell <address@hidden>
  Date:   2016-09-13 (Tue, 13 Sep 2016)

  Changed paths:
    M ui/curses.c

  Log Message:
  -----------
  ui/curses.c: Ensure we don't read off the end of curses2qemu array

Coverity spots that there is no bounds check before we
access the curses2qemu[] array.  Add one, bringing this
code path into line with the one that looks up entries
in curses2keysym[].

In theory getch() shouldn't return out of range keycodes,
but it's better not to assume this.

Signed-off-by: Peter Maydell <address@hidden>
Message-id: address@hidden
Signed-off-by: Gerd Hoffmann <address@hidden>


  Commit: 99a9ef44dca4be93f60c38d83a79eaaf8c56548a
      
https://github.com/qemu/qemu/commit/99a9ef44dca4be93f60c38d83a79eaaf8c56548a
  Author: Peter Maydell <address@hidden>
  Date:   2016-09-13 (Tue, 13 Sep 2016)

  Changed paths:
    M ui/curses.c

  Log Message:
  -----------
  ui/curses.c: Clean up nextchr logic

Coverity identifies that at the top of the while(1) loop
in curses_refresh() the variable nextchr is always ERR,
and so the else case of the first if() is dead code.
Remove this dead code, and narrow the scope of the
nextchr variable to the place where it's used.

(This confused logic has been present since the curses
code was added to QEMU in 2008.)

Signed-off-by: Peter Maydell <address@hidden>
Message-id: address@hidden
Signed-off-by: Gerd Hoffmann <address@hidden>


  Commit: 93ca519ec45cb26133da59d65575e839c62e9144
      
https://github.com/qemu/qemu/commit/93ca519ec45cb26133da59d65575e839c62e9144
  Author: Li Zhijian <address@hidden>
  Date:   2016-09-13 (Tue, 13 Sep 2016)

  Changed paths:
    M qemu-options.hx

  Log Message:
  -----------
  qemu-options.hx: correct spice options streaming-video default document value 
to 'off'

since f1d3e58, the code had changed the default value to 'off', so this patch
make document and code are consistent.

Signed-off-by: Li Zhijian <address@hidden>
Message-id: address@hidden
Signed-off-by: Gerd Hoffmann <address@hidden>


  Commit: 3e10c3ecfcaf604d8b400d6e463e1a186ce97d9b
      
https://github.com/qemu/qemu/commit/3e10c3ecfcaf604d8b400d6e463e1a186ce97d9b
  Author: Gonglei <address@hidden>
  Date:   2016-09-13 (Tue, 13 Sep 2016)

  Changed paths:
    M ui/vnc.c

  Log Message:
  -----------
  vnc: fix qemu crash because of SIGSEGV

The backtrace is:

0x00007f0b75cdf880 in pixman_image_get_stride () from /lib64/libpixman-1.so.0
0x00007f0b77bcb3cf in vnc_server_fb_stride (vd=0x7f0b7a1a2bb0) at ui/vnc.c:680
vnc_dpy_copy (dcl=0x7f0b7a1a2c00, src_x=224, src_y=263, dst_x=319, dst_y=363, 
w=1, h=1) at ui/vnc.c:915
0x00007f0b77bbcc35 in dpy_gfx_copy (con=0x7f0b7a146210, address@hidden, 
address@hidden, address@hidden,
address@hidden, w=1, h=1) at ui/console.c:1575
0x00007f0b77bbda4e in qemu_console_copy (con=<optimized out>, address@hidden, 
address@hidden, address@hidden,
address@hidden, w=<optimized out>, h=<optimized out>) at ui/console.c:2111
0x00007f0b77ac0980 in cirrus_do_copy (h=<optimized out>, w=<optimized out>, 
src=<optimized out>, dst=<optimized out>, s=0x7f0b7b086090) at 
hw/display/cirrus_vga.c:774
cirrus_bitblt_videotovideo_copy (s=0x7f0b7b086090) at 
hw/display/cirrus_vga.c:793
cirrus_bitblt_videotovideo (s=0x7f0b7b086090) at hw/display/cirrus_vga.c:915
cirrus_bitblt_start (s=0x7f0b7b086090) at hw/display/cirrus_vga.c:1056
0x00007f0b77965cfb in memory_region_write_accessor (mr=0x7f0b7b096e40, 
addr=320, value=<optimized out>, size=1, shift=<optimized out>,mask=<optimized 
out>, attrs=...) at /root/rpmbuild/BUILD/master/qemu/memory.c:525
0x00007f0b77963f59 in access_with_adjusted_size (address@hidden, 
address@hidden, address@hidden,
access_size_min=<optimized out>, access_size_max=<optimized out>, 
address@hidden <memory_region_write_accessor>,
address@hidden, address@hidden) at /root/rpmbuild/BUILD/master/qemu/memory.c:591
0x00007f0b77968315 in memory_region_dispatch_write (address@hidden, 
address@hidden, data=18446744073709551362,
address@hidden, address@hidden) at 
/root/rpmbuild/BUILD/master/qemu/memory.c:1262
0x00007f0b779256a9 in address_space_write_continue (mr=0x7f0b7b096e40, l=4, 
addr1=320, len=4, buf=0x7f0b77713028 "\002\377\377\377",
attrs=..., addr=4273930560, as=0x7f0b7827d280 <address_space_memory>) at 
/root/rpmbuild/BUILD/master/qemu/exec.c:2544
address_space_write (as=<optimized out>, addr=<optimized out>, attrs=..., 
buf=<optimized out>, len=<optimized out>) at 
/root/rpmbuild/BUILD/master/qemu/exec.c:2601
0x00007f0b77925c1d in address_space_rw (as=<optimized out>, addr=<optimized 
out>, attrs=..., address@hidden,
address@hidden "\002\377\377\377", len=<optimized out>, is_write=<optimized 
out>) at /root/rpmbuild/BUILD/master/qemu/exec.c:2703
0x00007f0b77962f53 in kvm_cpu_exec (address@hidden) at 
/root/rpmbuild/BUILD/master/qemu/kvm-all.c:1965
0x00007f0b77950cc6 in qemu_kvm_cpu_thread_fn (arg=0x7f0b79fcc2d0) at 
/root/rpmbuild/BUILD/master/qemu/cpus.c:1078
0x00007f0b744b3dc5 in start_thread (arg=0x7f0b69a27700) at pthread_create.c:308
0x00007f0b70d3d66d in clone () from /lib64/libc.so.6

The code path while meeting segfault:
 vnc_dpy_copy
   vnc_update_client
     vnc_disconnect_finish [while vnc_disconnect_start() is invoked because 
somethins wrong]
       vnc_update_server_surface
   vd->server = NULL;
   vnc_server_fb_stride
     pixman_image_get_stride(vd->server)

Let's add a non-NULL check before calling vnc_server_fb_stride() to avoid 
segmentation fault.

Cc: Gerd Hoffmann <address@hidden>
Cc: Daniel P. Berrange <address@hidden>
Reported-by: Yanying Zhuang <address@hidden>
Signed-off-by: Gonglei <address@hidden>
Reviewed-by: Marc-André Lureau <address@hidden>
Message-id: address@hidden
Signed-off-by: Gerd Hoffmann <address@hidden>


  Commit: e1c270c9404efe47c94b944818fdd093e418f938
      
https://github.com/qemu/qemu/commit/e1c270c9404efe47c94b944818fdd093e418f938
  Author: Peter Maydell <address@hidden>
  Date:   2016-09-13 (Tue, 13 Sep 2016)

  Changed paths:
    M qemu-options.hx
    M ui/curses.c
    M ui/vnc.c

  Log Message:
  -----------
  Merge remote-tracking branch 'remotes/kraxel/tags/pull-ui-20160913-1' into 
staging

ui: misc small fixes for vnc, spice and curses.

# gpg: Signature made Tue 13 Sep 2016 08:04:46 BST
# gpg:                using RSA key 0x4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <address@hidden>"
# gpg:                 aka "Gerd Hoffmann <address@hidden>"
# gpg:                 aka "Gerd Hoffmann (private) <address@hidden>"
# Primary key fingerprint: A032 8CFF B93A 17A7 9901  FE7D 4CB6 D8EE D3E8 7138

* remotes/kraxel/tags/pull-ui-20160913-1:
  vnc: fix qemu crash because of SIGSEGV
  qemu-options.hx: correct spice options streaming-video default document value 
to 'off'
  ui/curses.c: Clean up nextchr logic
  ui/curses.c: Ensure we don't read off the end of curses2qemu array

Signed-off-by: Peter Maydell <address@hidden>


Compare: https://github.com/qemu/qemu/compare/8ede883cfaf9...e1c270c9404e
reply via email to
[Prev in Thread] Current Thread [Next in Thread]