diff options
| author | Peter Maydell <peter.maydell@linaro.org> | 2020-06-05 13:53:05 +0100 |
|---|---|---|
| committer | Peter Maydell <peter.maydell@linaro.org> | 2020-06-05 13:53:05 +0100 |
| commit | 5d2f557b47dfbf8f23277a5bdd8473d4607c681a (patch) | |
| tree | b201eb447b39b4d5699a12e616e71398f251c5ce | |
| parent | b489f015fbe2bd59d409211f79ea0a8ac5d2a66d (diff) | |
| parent | ae3887e6f08c0031b669d4613987ee51df8f1769 (diff) | |
Merge remote-tracking branch 'remotes/kraxel/tags/vga-20200605-pull-request' into staging
vga: ati security fix, cirrus cleanup.
# gpg: Signature made Fri 05 Jun 2020 12:27:13 BST
# gpg: using RSA key 4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" [full]
# gpg: aka "Gerd Hoffmann <gerd@kraxel.org>" [full]
# gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>" [full]
# Primary key fingerprint: A032 8CFF B93A 17A7 9901 FE7D 4CB6 D8EE D3E8 7138
* remotes/kraxel/tags/vga-20200605-pull-request:
hw/display/cirrus_vga: Fix code mis-indentation
ati-vga: check mm_index before recursive call (CVE-2020-13800)
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
| -rw-r--r-- | hw/display/ati.c | 10 | ||||
| -rw-r--r-- | hw/display/cirrus_vga.c | 6 |
2 files changed, 11 insertions, 5 deletions
diff --git a/hw/display/ati.c b/hw/display/ati.c index 065f197678..67604e68de 100644 --- a/hw/display/ati.c +++ b/hw/display/ati.c @@ -285,8 +285,11 @@ static uint64_t ati_mm_read(void *opaque, hwaddr addr, unsigned int size) if (idx <= s->vga.vram_size - size) { val = ldn_le_p(s->vga.vram_ptr + idx, size); } - } else { + } else if (s->regs.mm_index > MM_DATA + 3) { val = ati_mm_read(s, s->regs.mm_index + addr - MM_DATA, size); + } else { + qemu_log_mask(LOG_GUEST_ERROR, + "ati_mm_read: mm_index too small: %u\n", s->regs.mm_index); } break; case BIOS_0_SCRATCH ... BUS_CNTL - 1: @@ -520,8 +523,11 @@ static void ati_mm_write(void *opaque, hwaddr addr, if (idx <= s->vga.vram_size - size) { stn_le_p(s->vga.vram_ptr + idx, size, data); } - } else { + } else if (s->regs.mm_index > MM_DATA + 3) { ati_mm_write(s, s->regs.mm_index + addr - MM_DATA, data, size); + } else { + qemu_log_mask(LOG_GUEST_ERROR, + "ati_mm_write: mm_index too small: %u\n", s->regs.mm_index); } break; case BIOS_0_SCRATCH ... BUS_CNTL - 1: diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c index 92c197cdde..212d6f5e61 100644 --- a/hw/display/cirrus_vga.c +++ b/hw/display/cirrus_vga.c @@ -1032,9 +1032,9 @@ static void cirrus_bitblt_start(CirrusVGAState * s) } else { if (s->cirrus_blt_mode & CIRRUS_BLTMODE_TRANSPARENTCOMP) { if (s->cirrus_blt_pixelwidth > 2) { - qemu_log_mask(LOG_GUEST_ERROR, - "cirrus: src transparent without colorexpand " - "must be 8bpp or 16bpp\n"); + qemu_log_mask(LOG_GUEST_ERROR, + "cirrus: src transparent without colorexpand " + "must be 8bpp or 16bpp\n"); goto bitblt_ignore; } if (s->cirrus_blt_mode & CIRRUS_BLTMODE_BACKWARDS) { |