From 3d90c6254863693a6b13d918d2b8682e08bbc681 Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann Date: Mon, 28 Aug 2017 14:29:06 +0200 Subject: vga: stop passing pointers to vga_draw_line* functions Instead pass around the address (aka offset into vga memory). Add vga_read_* helper functions which apply vbe_size_mask to the address, to make sure the address stays within the valid range, similar to the cirrus blitter fixes (commits ffaf857778 and 026aeffcb4). Impact: DoS for privileged guest users. qemu crashes with a segfault, when hitting the guard page after vga memory allocation, while reading vga memory for display updates. Fixes: CVE-2017-13672 Cc: P J P Reported-by: David Buchanan Signed-off-by: Gerd Hoffmann Message-id: 20170828122906.18993-1-kraxel@redhat.com --- hw/display/vga_int.h | 1 + 1 file changed, 1 insertion(+) (limited to 'hw/display/vga_int.h') diff --git a/hw/display/vga_int.h b/hw/display/vga_int.h index dd6c958da3..ad34a1f048 100644 --- a/hw/display/vga_int.h +++ b/hw/display/vga_int.h @@ -94,6 +94,7 @@ typedef struct VGACommonState { uint32_t vram_size; uint32_t vram_size_mb; /* property */ uint32_t vbe_size; + uint32_t vbe_size_mask; uint32_t latch; bool has_chain4_alias; MemoryRegion chain4_alias; -- cgit v1.2.3