[Qemu-commits] [qemu/qemu] f153b5: cirrus: handle negative pitch in cirr

qemu-commits

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-commits] [qemu/qemu] f153b5: cirrus: handle negative pitch in cirr

From:	GitHub
Subject:	[Qemu-commits] [qemu/qemu] f153b5: cirrus: handle negative pitch in cirrus_invalidate...
Date:	Fri, 03 Feb 2017 03:30:04 -0800

  Branch: refs/heads/master
  Home:   https://github.com/qemu/qemu
  Commit: f153b563f8cf121aebf5a2fff5f0110faf58ccb3
      
https://github.com/qemu/qemu/commit/f153b563f8cf121aebf5a2fff5f0110faf58ccb3
  Author: Wolfgang Bumiller <address@hidden>
  Date:   2017-02-01 (Wed, 01 Feb 2017)

  Changed paths:
    M hw/display/cirrus_vga.c

  Log Message:
  -----------
  cirrus: handle negative pitch in cirrus_invalidate_region()

cirrus_invalidate_region() calls memory_region_set_dirty()
on a per-line basis, always ranging from off_begin to
off_begin+bytesperline. With a negative pitch off_begin
marks the top most used address and thus we need to do an
initial shift backwards by a line for negative pitches of
backward blits, otherwise the first iteration covers the
line going from the start offset forwards instead of
backwards.
Additionally since the start address is inclusive, if we
shift by a full `bytesperline` we move to the first address
*not* included in the blit, so we only shift by one less
than bytesperline.

Signed-off-by: Wolfgang Bumiller <address@hidden>
Message-id: address@hidden

[ kraxel: codestyle fixes ]

Signed-off-by: Gerd Hoffmann <address@hidden>


  Commit: 5858dd1801883309bdd208d72ddb81c4e9fee30c
      
https://github.com/qemu/qemu/commit/5858dd1801883309bdd208d72ddb81c4e9fee30c
  Author: Wolfgang Bumiller <address@hidden>
  Date:   2017-02-01 (Wed, 01 Feb 2017)

  Changed paths:
    M hw/display/cirrus_vga.c

  Log Message:
  -----------
  cirrus: allow zero source pitch in pattern fill rops

The rops used by cirrus_bitblt_common_patterncopy only use
the destination pitch, so the source pitch shoul allowed to
be zero and the blit with used for the range check around the
source address.

Signed-off-by: Wolfgang Bumiller <address@hidden>
Message-id: address@hidden
Signed-off-by: Gerd Hoffmann <address@hidden>


  Commit: 60cd23e85151525ab26591394c4e7e06fa07d216
      
https://github.com/qemu/qemu/commit/60cd23e85151525ab26591394c4e7e06fa07d216
  Author: Gerd Hoffmann <address@hidden>
  Date:   2017-02-01 (Wed, 01 Feb 2017)

  Changed paths:
    M hw/display/cirrus_vga.c

  Log Message:
  -----------
  cirrus: fix blit address mask handling

Apply the cirrus_addr_mask to cirrus_blt_dstaddr and cirrus_blt_srcaddr
right after assigning them, in cirrus_bitblt_start(), instead of having
this all over the place in the cirrus code, and missing a few places.

Reported-by: Wolfgang Bumiller <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>
Message-id: address@hidden


  Commit: 62d4c6bd5263bb8413a06c80144fc678df6dfb64
      
https://github.com/qemu/qemu/commit/62d4c6bd5263bb8413a06c80144fc678df6dfb64
  Author: Li Qiang <address@hidden>
  Date:   2017-02-02 (Thu, 02 Feb 2017)

  Changed paths:
    M hw/display/cirrus_vga.c

  Log Message:
  -----------
  cirrus: fix oob access issue (CVE-2017-2615)

When doing bitblt copy in backward mode, we should minus the
blt width first just like the adding in the forward mode. This
can avoid the oob access of the front of vga's vram.

Signed-off-by: Li Qiang <address@hidden>

{ kraxel: with backward blits (negative pitch) addr is the topmost
    address, so check it as-is against vram size ]

Cc: address@hidden
Cc: P J P <address@hidden>
Cc: Laszlo Ersek <address@hidden>
Cc: Paolo Bonzini <address@hidden>
Cc: Wolfgang Bumiller <address@hidden>
Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106)
Signed-off-by: Gerd Hoffmann <address@hidden>
Message-id: address@hidden
Reviewed-by: Laszlo Ersek <address@hidden>


  Commit: 5b66d7ae89411c01657ebfe76b9a8be346a4b1be
      
https://github.com/qemu/qemu/commit/5b66d7ae89411c01657ebfe76b9a8be346a4b1be
  Author: Peter Maydell <address@hidden>
  Date:   2017-02-03 (Fri, 03 Feb 2017)

  Changed paths:
    M hw/display/cirrus_vga.c

  Log Message:
  -----------
  Merge remote-tracking branch 'remotes/kraxel/tags/pull-vga-20170202-2' into 
staging

cirrus: multiple bugfixes, including CVE-2017-2615 fix.

# gpg: Signature made Thu 02 Feb 2017 15:03:35 GMT
# gpg:                using RSA key 0x4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <address@hidden>"
# gpg:                 aka "Gerd Hoffmann <address@hidden>"
# gpg:                 aka "Gerd Hoffmann (private) <address@hidden>"
# Primary key fingerprint: A032 8CFF B93A 17A7 9901  FE7D 4CB6 D8EE D3E8 7138

* remotes/kraxel/tags/pull-vga-20170202-2:
  cirrus: fix oob access issue (CVE-2017-2615)
  cirrus: fix blit address mask handling
  cirrus: allow zero source pitch in pattern fill rops
  cirrus: handle negative pitch in cirrus_invalidate_region()

Signed-off-by: Peter Maydell <address@hidden>


Compare: https://github.com/qemu/qemu/compare/5459ef3bff96...5b66d7ae8941

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-commits] [qemu/qemu] f153b5: cirrus: handle negative pitch in cirrus_invalidate..., GitHub <=

Prev by Date: [Qemu-commits] [qemu/qemu] bd97a5: disas/ppc: Fix indefinite articles in comments
Next by Date: [Qemu-commits] [qemu/qemu] 77e217: tci: Remove invalid assertions
Previous by thread: [Qemu-commits] [qemu/qemu] bd97a5: disas/ppc: Fix indefinite articles in comments
Next by thread: [Qemu-commits] [qemu/qemu] 77e217: tci: Remove invalid assertions
Index(es):
- Date
- Thread