[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PULL 2/7] spice: fix invalid memory access to vga.vram
From: |
Gerd Hoffmann |
Subject: |
[Qemu-devel] [PULL 2/7] spice: fix invalid memory access to vga.vram |
Date: |
Wed, 4 Mar 2015 15:30:44 +0100 |
From: Radim Krčmář <address@hidden>
vga_common_init() doesn't allow more than 256 MiB vram size and silently
shrinks any larger value. qxl_dirty_surfaces() used the unshrinked size
via qxl->shadow_rom.surface0_area_size when accessing the memory, which
resulted in segfault.
Add a workaround for this case and an assert if it happens again.
We have to bump the vga memory limit too, because 256 MiB wouldn't have
allowed 8k (it requires more than 128 MiB).
1024 MiB doesn't work, but 512 MiB seems fine.
Proposed-by: Gerd Hoffmann <address@hidden>
Signed-off-by: Radim Krčmář <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>
---
hw/display/qxl.c | 8 ++++++++
hw/display/vga.c | 4 ++--
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/hw/display/qxl.c b/hw/display/qxl.c
index 6e90797..92f2d50 100644
--- a/hw/display/qxl.c
+++ b/hw/display/qxl.c
@@ -370,6 +370,8 @@ static void init_qxl_rom(PCIQXLDevice *d)
num_pages -= surface0_area_size;
num_pages = num_pages / QXL_PAGE_SIZE;
+ assert(ram_header_size + surface0_area_size <= d->vga.vram_size);
+
rom->draw_area_offset = cpu_to_le32(0);
rom->surface0_area_size = cpu_to_le32(surface0_area_size);
rom->pages_offset = cpu_to_le32(surface0_area_size);
@@ -1883,6 +1885,12 @@ static void qxl_init_ramsize(PCIQXLDevice *qxl)
if (qxl->vgamem_size_mb < 8) {
qxl->vgamem_size_mb = 8;
}
+ /* XXX: we round vgamem_size_mb up to a nearest power of two and it must be
+ * less than vga_common_init()'s maximum on qxl->vga.vram_size (512 now).
+ */
+ if (qxl->vgamem_size_mb > 256) {
+ qxl->vgamem_size_mb = 256;
+ }
qxl->vgamem_size = qxl->vgamem_size_mb * 1024 * 1024;
/* vga ram (bar 0, total) */
diff --git a/hw/display/vga.c b/hw/display/vga.c
index c8c49ab..6e4ca7e 100644
--- a/hw/display/vga.c
+++ b/hw/display/vga.c
@@ -2121,10 +2121,10 @@ void vga_common_init(VGACommonState *s, Object *obj,
bool global_vmstate)
expand4to8[i] = v;
}
- /* valid range: 1 MB -> 256 MB */
+ /* valid range: 1 MB -> 512 MB */
s->vram_size = 1024 * 1024;
while (s->vram_size < (s->vram_size_mb << 20) &&
- s->vram_size < (256 << 20)) {
+ s->vram_size < (512 << 20)) {
s->vram_size <<= 1;
}
s->vram_size_mb = s->vram_size >> 20;
--
1.8.3.1
- [Qemu-devel] [PULL 0/7] spice patch queue, Gerd Hoffmann, 2015/03/04
- [Qemu-devel] [PULL 3/7] qxl: refactor rounding up to a nearest power of 2, Gerd Hoffmann, 2015/03/04
- [Qemu-devel] [PULL 1/7] qxl: document minimal video memory for new modes, Gerd Hoffmann, 2015/03/04
- [Qemu-devel] [PULL 7/7] hmp: info spice: take out webdav, Gerd Hoffmann, 2015/03/04
- [Qemu-devel] [PULL 2/7] spice: fix invalid memory access to vga.vram,
Gerd Hoffmann <=
- [Qemu-devel] [PULL 5/7] qxl: drop update_displaychangelistener call for secondary qxl devices, Gerd Hoffmann, 2015/03/04
- [Qemu-devel] [PULL 4/7] vga: refactor vram_size clamping and rounding, Gerd Hoffmann, 2015/03/04
- [Qemu-devel] [PULL 6/7] hmp: info spice: Show string channel name, Gerd Hoffmann, 2015/03/04
- Re: [Qemu-devel] [PULL 0/7] spice patch queue, Peter Maydell, 2015/03/08