[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] [PULL for-2.9 0/7] cirrus: more blitter security fixes.

From: Gerd Hoffmann
Subject: [Qemu-devel] [PULL for-2.9 0/7] cirrus: more blitter security fixes.
Date: Thu, 16 Mar 2017 10:30:35 +0100


Another pile of cirrus blitter fixes, including cve fixes for known
issues, so clearly 2.9 material.

Patches 6+7 implement a new approach to blitter memory access sanity
checking.  We pass around offsets not pointers, and at the place where
the actual memory access happens we mask the offset to the valid
range before calculating the pointer.

That should put an end to security holes due to blit_is_unsafe() sanity
checks failing to calculate some special case correctly, or due to
blit_is_unsafe() calls missing, and kill any dragons which might still
be lurking in the code.  In theory this even obsoletes blit_is_unsafe(),
but I don't feel like ripping it out right away ...

please pull,

The following changes since commit 1883ff34b540daacae948f493b0ba525edf5f642:

  Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging 
(2017-03-15 18:44:05 +0000)

are available in the git repository at:

  git://git.kraxel.org/qemu tags/pull-cirrus-20170316-1

for you to fetch changes up to ffaf857778286ca54e3804432a2369a279e73aa7:

  cirrus: stop passing around src pointers in the blitter (2017-03-16 08:58:16 

cirrus: blitter fixes.

Gerd Hoffmann (6):
      cirrus/vnc: zap bitblit support from console code.
      cirrus: switch to 4 MB video memory by default
      cirrus: add option to disable blitter
      cirrus: fix cirrus_invalidate_region
      cirrus: stop passing around dst pointers in the blitter
      cirrus: stop passing around src pointers in the blitter

hangaohuai (1):
      fix :cirrus_vga fix OOB read case qemu Segmentation fault

 hw/display/cirrus_vga.c      | 106 ++++++++++++++++--------
 hw/display/cirrus_vga_rop.h  | 191 ++++++++++++++++++++++++++-----------------
 hw/display/cirrus_vga_rop2.h | 125 ++++++++++++++--------------
 include/hw/compat.h          |   8 ++
 include/ui/console.h         |   7 --
 ui/console.c                 |  28 -------
 ui/vnc.c                     | 100 ----------------------
 7 files changed, 259 insertions(+), 306 deletions(-)

reply via email to

[Prev in Thread] Current Thread [Next in Thread]