[Qemu-commits] [qemu/qemu] e65294: vga: fix display update region calculation (split ...

[GitHub]

  Branch: refs/heads/master
  Home:   https://github.com/qemu/qemu
  Commit: e65294157d4b69393b3f819c99f4f647452b48e3
      
https://github.com/qemu/qemu/commit/e65294157d4b69393b3f819c99f4f647452b48e3
  Author: Gerd Hoffmann <address@hidden>
  Date:   2017-09-01 (Fri, 01 Sep 2017)

  Changed paths:
    M hw/display/vga.c

  Log Message:
  -----------
  vga: fix display update region calculation (split screen)

vga display update mis-calculated the region for the dirty bitmap
snapshot in case split screen mode is used.  This can trigger an
assert in cpu_physical_memory_snapshot_get_dirty().

Impact:  DoS for privileged guest users.

Fixes: CVE-2017-13673
Fixes: fec5e8c92becad223df9d972770522f64aafdb72
Cc: P J P <address@hidden>
Reported-by: David Buchanan <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>
Message-id: address@hidden


  Commit: 3d90c6254863693a6b13d918d2b8682e08bbc681
      
https://github.com/qemu/qemu/commit/3d90c6254863693a6b13d918d2b8682e08bbc681
  Author: Gerd Hoffmann <address@hidden>
  Date:   2017-09-01 (Fri, 01 Sep 2017)

  Changed paths:
    M hw/display/vga-helpers.h
    M hw/display/vga.c
    M hw/display/vga_int.h

  Log Message:
  -----------
  vga: stop passing pointers to vga_draw_line* functions

Instead pass around the address (aka offset into vga memory).
Add vga_read_* helper functions which apply vbe_size_mask to
the address, to make sure the address stays within the valid
range, similar to the cirrus blitter fixes (commits ffaf857778
and 026aeffcb4).

Impact:  DoS for privileged guest users.  qemu crashes with
a segfault, when hitting the guard page after vga memory
allocation, while reading vga memory for display updates.

Fixes: CVE-2017-13672
Cc: P J P <address@hidden>
Reported-by: David Buchanan <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>
Message-id: address@hidden


  Commit: 79c5a10cdda1aed00d7ee4ef87de2ef8c854f4a5
      
https://github.com/qemu/qemu/commit/79c5a10cdda1aed00d7ee4ef87de2ef8c854f4a5
  Author: Gerd Hoffmann <address@hidden>
  Date:   2017-09-01 (Fri, 01 Sep 2017)

  Changed paths:
    M hw/display/qxl-render.c

  Log Message:
  -----------
  qxl: drop mono cursor support

The chunk size sanity check in qxl_render_cursor works for
SPICE_CURSOR_TYPE_ALPHA cursors only.  So support for
SPICE_CURSOR_TYPE_MONO cursors must be broken for ages without anyone
noticing.  Most likely it simply isn't used any more by guest drivers.
Drop the dead code.

Signed-off-by: Gerd Hoffmann <address@hidden>
Message-id: address@hidden


  Commit: b21330b513365a83aa808a27da1ebe53f8f10c3c
      
https://github.com/qemu/qemu/commit/b21330b513365a83aa808a27da1ebe53f8f10c3c
  Author: Gerd Hoffmann <address@hidden>
  Date:   2017-09-01 (Fri, 01 Sep 2017)

  Changed paths:
    M hw/display/qxl-render.c

  Log Message:
  -----------
  qxl: add support for chunked cursors.

Signed-off-by: Gerd Hoffmann <address@hidden>
Message-id: address@hidden


  Commit: 138bc2df843105edb22978284fc2e16307f16211
      
https://github.com/qemu/qemu/commit/138bc2df843105edb22978284fc2e16307f16211
  Author: Dr. David Alan Gilbert <address@hidden>
  Date:   2017-09-01 (Fri, 01 Sep 2017)

  Changed paths:
    M hw/display/vga.c

  Log Message:
  -----------
  vga/migration: Update memory map in post_load

After migration the chain4 alias mapping added by 80763888 (in 2011)
might be missing, since there's no call to vga_update_memory_access
in the post_load after the registers are updated.  Add it back.

Signed-off-by: Dr. David Alan Gilbert <address@hidden>
Reviewed-by: Juan Quintela <address@hidden>
Message-id: address@hidden
Signed-off-by: Gerd Hoffmann <address@hidden>


  Commit: 79d16c21a565927943486b26789caa62413ff371
      
https://github.com/qemu/qemu/commit/79d16c21a565927943486b26789caa62413ff371
  Author: Gerd Hoffmann <address@hidden>
  Date:   2017-09-13 (Wed, 13 Sep 2017)

  Changed paths:
    M hw/display/virtio-gpu.c

  Log Message:
  -----------
  virtio-gpu: don't clear QemuUIInfo information on reset

Don't reset window layout information (passed via virtio_gpu_ui_info) on
device reset, so the user interface window layout will be kept intact
over reboots.  The head size and position was commented out already, so
this patch just drops the dead code.  Additionally the enabled head mask
must be kept so multihead setups work properly too.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1460595
Signed-off-by: Gerd Hoffmann <address@hidden>
Reviewed-by: Marc-André Lureau <address@hidden>
Message-id: address@hidden


  Commit: bcf9e2c0a5f8de395842e034ca15be13d1fc5f90
      
https://github.com/qemu/qemu/commit/bcf9e2c0a5f8de395842e034ca15be13d1fc5f90
  Author: Peter Maydell <address@hidden>
  Date:   2017-09-14 (Thu, 14 Sep 2017)

  Changed paths:
    M hw/display/qxl-render.c
    M hw/display/vga-helpers.h
    M hw/display/vga.c
    M hw/display/vga_int.h
    M hw/display/virtio-gpu.c

  Log Message:
  -----------
  Merge remote-tracking branch 'remotes/kraxel/tags/vga-20170913-pull-request' 
into staging

vga: bugfixes.
qxl: chunked cursor support.

# gpg: Signature made Wed 13 Sep 2017 08:41:08 BST
# gpg:                using RSA key 0x4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <address@hidden>"
# gpg:                 aka "Gerd Hoffmann <address@hidden>"
# gpg:                 aka "Gerd Hoffmann (private) <address@hidden>"
# Primary key fingerprint: A032 8CFF B93A 17A7 9901  FE7D 4CB6 D8EE D3E8 7138

* remotes/kraxel/tags/vga-20170913-pull-request:
  virtio-gpu: don't clear QemuUIInfo information on reset
  vga/migration: Update memory map in post_load
  qxl: add support for chunked cursors.
  qxl: drop mono cursor support
  vga: stop passing pointers to vga_draw_line* functions
  vga: fix display update region calculation (split screen)

Signed-off-by: Peter Maydell <address@hidden>


Compare: https://github.com/qemu/qemu/compare/04ef33052c20...bcf9e2c0a5f8