qemu-commits
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-commits] [qemu/qemu] 85d9d0: virtio-gpu: fix information leak in c

From: GitHub
Subject: [Qemu-commits] [qemu/qemu] 85d9d0: virtio-gpu: fix information leak in capset get dis...
Date: Thu, 12 Jan 2017 10:30:03 -0800 
  Branch: refs/heads/master
  Home:   https://github.com/qemu/qemu
  Commit: 85d9d044471f93c48c5c396f7e217b4ef12f69f8
      
https://github.com/qemu/qemu/commit/85d9d044471f93c48c5c396f7e217b4ef12f69f8
  Author: Li Qiang <address@hidden>
  Date:   2017-01-11 (Wed, 11 Jan 2017)

  Changed paths:
    M hw/display/virtio-gpu-3d.c

  Log Message:
  -----------
  virtio-gpu: fix information leak in capset get dispatch

In virgl_cmd_get_capset function, it uses g_malloc to allocate
a response struct to the guest. As the 'resp'struct hasn't been full
initialized it will lead the 'resp->padding' field to the guest.
Use g_malloc0 to avoid this.

Signed-off-by: Li Qiang <address@hidden>
Reviewed-by: Marc-André Lureau <address@hidden>
Message-id: address@hidden

[ kraxel: resolved conflict ]

Signed-off-by: Gerd Hoffmann <address@hidden>


  Commit: 913a87885f589d263e682c2eb6637c6e14538061
      
https://github.com/qemu/qemu/commit/913a87885f589d263e682c2eb6637c6e14538061
  Author: Bruce Rogers <address@hidden>
  Date:   2017-01-11 (Wed, 11 Jan 2017)

  Changed paths:
    M hw/display/cirrus_vga.c

  Log Message:
  -----------
  display: cirrus: ignore source pitch value as needed in blit_is_unsafe

Commit 4299b90 added a check which is too broad, given that the source
pitch value is not required to be initialized for solid fill operations.
This patch refines the blit_is_unsafe() check to ignore source pitch in
that case. After applying the above commit as a security patch, we
noticed the SLES 11 SP4 guest gui failed to initialize properly.

Signed-off-by: Bruce Rogers <address@hidden>
Message-id: address@hidden
Signed-off-by: Gerd Hoffmann <address@hidden>


  Commit: 039aa5db0e7d9edb2bd807c2d4e09d8d7be4c9c4
      
https://github.com/qemu/qemu/commit/039aa5db0e7d9edb2bd807c2d4e09d8d7be4c9c4
  Author: Peter Maydell <address@hidden>
  Date:   2017-01-11 (Wed, 11 Jan 2017)

  Changed paths:
    M hw/display/virtio-gpu.c

  Log Message:
  -----------
  virtio-gpu: Recalculate VirtIOGPU::hostmem on VM load

The 'hostmem' field in VirtIOGPU is used to track the total memory
used in pixmaps so that we can impose a maximum limit on it.
However this field is neither migrated nor recalculated on
VM load, which means that after a migration it will be incorrectly
too low, which can allow the guest to use more pixmap memory
than it should. The per-resource hostmem fields are not filled
in either as we reallocate them in the load function.

Recalculate the memory used for each pixmap and the total memory
used as we reallocate the pixmaps in virtio_gpu_load().

Signed-off-by: Peter Maydell <address@hidden>
Message-id: address@hidden
Signed-off-by: Gerd Hoffmann <address@hidden>


  Commit: c84f0f25db2eaab101665ddb60c1ddf1decce76a
      
https://github.com/qemu/qemu/commit/c84f0f25db2eaab101665ddb60c1ddf1decce76a
  Author: Peter Maydell <address@hidden>
  Date:   2017-01-11 (Wed, 11 Jan 2017)

  Changed paths:
    M hw/display/virtio-gpu.c

  Log Message:
  -----------
  virtio-gpu: Fix memory leak in virtio_gpu_load()

Coverity points out that if we fail in the "creating resources"
loop in virtio_gpu_load() we will leak various resources (CID 1356431).
Failing a VM load is going to leave the simulation in a complete mess,
but we can tidy up to the point that a full system reset should
get us back to sanity.

Signed-off-by: Peter Maydell <address@hidden>
Message-id: address@hidden
Signed-off-by: Gerd Hoffmann <address@hidden>


  Commit: a2056e09b02745e5d000351a8a7938fa8a292ba7
      
https://github.com/qemu/qemu/commit/a2056e09b02745e5d000351a8a7938fa8a292ba7
  Author: Gerd Hoffmann <address@hidden>
  Date:   2017-01-11 (Wed, 11 Jan 2017)

  Changed paths:
    M hw/display/virtio-gpu.c

  Log Message:
  -----------
  virtio-gpu: tag as not hotpluggable

qemu can't hotplug display devices.

Signed-off-by: Gerd Hoffmann <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Message-id: address@hidden


  Commit: 80fbc689e0503f8dd7b1eaf1b608cd6b8e76ca09
      
https://github.com/qemu/qemu/commit/80fbc689e0503f8dd7b1eaf1b608cd6b8e76ca09
  Author: Peter Maydell <address@hidden>
  Date:   2017-01-12 (Thu, 12 Jan 2017)

  Changed paths:
    M hw/display/cirrus_vga.c
    M hw/display/virtio-gpu-3d.c
    M hw/display/virtio-gpu.c

  Log Message:
  -----------
  Merge remote-tracking branch 'remotes/kraxel/tags/pull-vga-20170111-1' into 
staging

vga: fixes for virtio-gpu and cirrus.

# gpg: Signature made Wed 11 Jan 2017 10:24:24 GMT
# gpg:                using RSA key 0x4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <address@hidden>"
# gpg:                 aka "Gerd Hoffmann <address@hidden>"
# gpg:                 aka "Gerd Hoffmann (private) <address@hidden>"
# Primary key fingerprint: A032 8CFF B93A 17A7 9901  FE7D 4CB6 D8EE D3E8 7138

* remotes/kraxel/tags/pull-vga-20170111-1:
  virtio-gpu: tag as not hotpluggable
  virtio-gpu: Fix memory leak in virtio_gpu_load()
  virtio-gpu: Recalculate VirtIOGPU::hostmem on VM load
  display: cirrus: ignore source pitch value as needed in blit_is_unsafe
  virtio-gpu: fix information leak in capset get dispatch

Signed-off-by: Peter Maydell <address@hidden>


Compare: https://github.com/qemu/qemu/compare/4201e616c0fa...80fbc689e050
reply via email to
[Prev in Thread] Current Thread [Next in Thread]