vga: stop passing pointers to vga_draw_line* functions

Instead pass around the address (aka offset into vga memory). Add vga_read_* helper functions which apply vbe_size_mask to the address, to make sure the address stays within the valid range, similar to the cirrus blitter fixes (commits ffaf857778 and 026aeffcb4). Impact: DoS for privileged guest users. qemu crashes with a segfault, when hitting the guard page after vga memory allocation, while reading vga memory for display updates. Fixes: CVE-2017-13672 Cc: P J P <ppandit@redhat.com> Reported-by: David Buchanan <d@vidbuchanan.co.uk> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Message-id: 20170828122906.18993-1-kraxel@redhat.com
author: Gerd Hoffmann <kraxel@redhat.com> 2017-08-28 14:29:06 +0200
committer: Gerd Hoffmann <kraxel@redhat.com> 2017-09-01 13:52:43 +0200
commit: 3d90c6254863693a6b13d918d2b8682e08bbc681 (patch)
tree: 41f305d2ad30ffad4ea463ca2c89f83e53eb2067 /hw/display/vga_int.h
parent: e65294157d4b69393b3f819c99f4f647452b48e3 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/hw/display/vga_int.h b/hw/display/vga_int.h
index dd6c958da3..ad34a1f048 100644
--- a/hw/display/vga_int.h
+++ b/hw/display/vga_int.h
@@ -94,6 +94,7 @@ typedef struct VGACommonState {
     uint32_t vram_size;
     uint32_t vram_size_mb; /* property */
     uint32_t vbe_size;
+    uint32_t vbe_size_mask;
     uint32_t latch;
     bool has_chain4_alias;
     MemoryRegion chain4_alias;
author	Gerd Hoffmann <kraxel@redhat.com>	2017-08-28 14:29:06 +0200
committer	Gerd Hoffmann <kraxel@redhat.com>	2017-09-01 13:52:43 +0200
commit	3d90c6254863693a6b13d918d2b8682e08bbc681 (patch)
tree	41f305d2ad30ffad4ea463ca2c89f83e53eb2067 /hw/display/vga_int.h
parent	e65294157d4b69393b3f819c99f4f647452b48e3 (diff)