Re: [PATCH] vfio: fix use-after-free in display

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] vfio: fix use-after-free in display

From:	Gerd Hoffmann
Subject:	Re: [PATCH] vfio: fix use-after-free in display
Date:	Mon, 13 Jul 2020 16:00:28 +0200

On Mon, Jul 13, 2020 at 02:51:05PM +0200, Philippe Mathieu-DaudÃ© wrote:
> On 7/13/20 2:45 PM, Gerd Hoffmann wrote:
> > Calling ramfb_display_update() might replace the DisplaySurface with the
> > boot display, which in turn will free the currently active
> > DisplaySurface.
> > 
> > So clear our DisplaySurface pinter (dpy->region.surface pointer) to (a)
> > avoid use-after-free and (b) force replacing the boot display with the
> > real display when switching back.
> > 
> > Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> > ---
> >  hw/vfio/display.c | 1 +
> >  1 file changed, 1 insertion(+)
> > 
> > diff --git a/hw/vfio/display.c b/hw/vfio/display.c
> > index a57a22674d62..342054193b3c 100644
> > --- a/hw/vfio/display.c
> > +++ b/hw/vfio/display.c
> > @@ -405,6 +405,7 @@ static void vfio_display_region_update(void *opaque)
> >      if (!plane.drm_format || !plane.size) {
> >          if (dpy->ramfb) {
> >              ramfb_display_update(dpy->con, dpy->ramfb);
> > +            dpy->region.surface = NULL;
> >          }
> >          return;
> >      }
> > 
> 
> More generic fix:
> 
> -- >8 --
> --- a/ui/console.c
> +++ b/ui/console.c
> @@ -1580,10 +1580,10 @@ void dpy_gfx_replace_surface(QemuConsole *con,
>                               DisplaySurface *surface)
>  {
>      DisplayState *s = con->ds;
> -    DisplaySurface *old_surface = con->surface;
> +    QemuConsole *old_con = con;
>      DisplayChangeListener *dcl;
> 
> -    assert(old_surface != surface || surface == NULL);
> +    assert(con->surface != surface || surface == NULL);
> 
>      con->surface = surface;
>      QLIST_FOREACH(dcl, &s->listeners, next) {
> @@ -1594,7 +1594,8 @@ void dpy_gfx_replace_surface(QemuConsole *con,
>              dcl->ops->dpy_gfx_switch(dcl, surface);
>          }
>      }
> -    qemu_free_displaysurface(old_surface);
> +    qemu_free_displaysurface(old_con->surface);
> +    old_con->surface = NULL;

No.

That doesn't clear VFIODisplay->region.surface, but it sets
QemuConsole->surface to NULL no matter what got passed to
dpy_gfx_replace_surface().

Guesswork based just on the patch chunk doesn't always work,
sometimes you have to consult the source code to see what the
patch actually does ;)

take care,
  Gerd

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH] vfio: fix use-after-free in display, Gerd Hoffmann, 2020/07/13
- Re: [PATCH] vfio: fix use-after-free in display, Philippe Mathieu-Daudé, 2020/07/13
  - Re: [PATCH] vfio: fix use-after-free in display, Gerd Hoffmann <=
    - Re: [PATCH] vfio: fix use-after-free in display, Philippe Mathieu-Daudé, 2020/07/13
- Re: [PATCH] vfio: fix use-after-free in display, Alex Williamson, 2020/07/13
  - Re: [PATCH] vfio: fix use-after-free in display, Gerd Hoffmann, 2020/07/15

Prev by Date: Re: [PATCH 1/1] MAINTAINERS: Add Python library stanza
Next by Date: Re: [PATCH v2 4/5] iotests.py: filter_testfiles(): filter SOCK_DIR too
Previous by thread: Re: [PATCH] vfio: fix use-after-free in display
Next by thread: Re: [PATCH] vfio: fix use-after-free in display
Index(es):
- Date
- Thread