qemu/hw/display
linzhecheng 191f59dc17 vga: check the validation of memory addr when draw text
Start a vm with qemu-kvm -enable-kvm -vnc :66 -smp 1 -m 1024 -hda
redhat_5.11.qcow2  -device pcnet -vga cirrus,
then use VNC client to connect to VM, and excute the code below in guest
OS will lead to qemu crash:

int main()
 {
    iopl(3);
    srand(time(NULL));
    int a,b;
    while(1){
	a = rand()%0x100;
	b = 0x3c0 + (rand()%0x20);
        outb(a,b);
    }
    return 0;
}

The above code is writing the registers of VGA randomly.
We can write VGA CRT controller registers index 0x0C or 0x0D
(which is the start address register) to modify the
the display memory address of the upper left pixel
or character of the screen. The address may be out of the
range of vga ram. So we should check the validation of memory address
when reading or writing it to avoid segfault.

Signed-off-by: linzhecheng <linzhecheng@huawei.com>
Message-id: 20180111132724.13744-1-linzhecheng@huawei.com
Fixes: CVE-2018-5683
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-01-25 10:18:39 +01:00
..
ads7846.c ssi: change ssi_slave_init to be a realize ops 2016-07-04 13:15:22 +01:00
bcm2835_fb.c hw: explicitly include qemu/log.h 2016-05-19 16:42:29 +02:00
blizzard.c Replace all occurances of __FUNCTION__ with __func__ 2018-01-22 09:46:18 +01:00
cg3.c maint: Fix macros with broken 'do/while(0); ' usage 2018-01-16 14:54:52 +01:00
cirrus_vga_rop2.h cirrus: fix PUTPIXEL macro 2017-03-27 12:14:45 +02:00
cirrus_vga_rop.h cirrus: fix off-by-one in cirrus_bitblt_rop_bkwd_transp_*_16 2017-03-17 10:23:44 +01:00
cirrus_vga.c hw/display/vga: "vga_int.h" requires "ui/console.h" 2017-12-18 17:07:02 +03:00
dpcd.c maint: Fix macros with broken 'do/while(0); ' usage 2018-01-16 14:54:52 +01:00
exynos4210_fimd.c exynos: make display updates thread safe 2017-04-24 10:12:28 +02:00
framebuffer.c framebuffer: make display updates thread safe 2017-04-24 10:12:28 +02:00
framebuffer.h framebuffer: set DIRTY_MEMORY_VGA on RAM that is used for the framebuffer 2015-07-24 13:57:45 +02:00
g364fb.c g364fb: make display updates thread safe 2017-04-24 10:12:28 +02:00
jazz_led.c jazz_led: fix bad snprintf 2017-05-10 10:19:24 +03:00
Makefile.objs add opengl_cflags to QEMU_CFLAGS 2017-03-21 10:25:01 +00:00
milkymist-tmu2.c lm32: milkymist-tmu2: fix a third integer overflow 2017-02-28 09:03:39 +03:00
milkymist-vgafb_template.h milkymist-vgafb: swap pixel data in source buffer 2014-02-04 19:34:30 +01:00
milkymist-vgafb.c milkymist: update specification URLs 2016-06-20 18:12:04 +02:00
omap_dss.c Replace all occurances of __FUNCTION__ with __func__ 2018-01-22 09:46:18 +01:00
omap_lcd_template.h omap_lcdc: Remove support for DEPTH != 32 2016-05-12 13:22:24 +01:00
omap_lcdc.c omap_lcdc: Remove support for DEPTH != 32 2016-05-12 13:22:24 +01:00
pl110_template.h display: avoid multi-statement macro 2014-01-31 14:47:33 +00:00
pl110.c hw/display: QOM'ify pl110.c 2016-10-24 16:26:56 +01:00
pxa2xx_lcd.c Replace all occurances of __FUNCTION__ with __func__ 2018-01-22 09:46:18 +01:00
pxa2xx_template.h display: avoid multi-statement macro 2014-01-31 14:47:33 +00:00
qxl-logger.c hw/display: Clean up includes 2016-01-29 15:07:24 +00:00
qxl-render.c Replace all occurances of __FUNCTION__ with __func__ 2018-01-22 09:46:18 +01:00
qxl.c spice: remove QXLWorker interface field 2018-01-12 14:35:58 +01:00
qxl.h Replace all occurances of __FUNCTION__ with __func__ 2018-01-22 09:46:18 +01:00
sm501_template.h sm501: Misc clean ups 2017-04-24 12:32:12 +01:00
sm501.c sm501: Add missing break to case 2018-01-20 17:15:05 +11:00
ssd0303.c i2c: Allow I2C devices to NAK start events 2017-01-09 11:40:20 +00:00
ssd0323.c vmstateify ssd0323 display 2016-09-22 18:13:08 +01:00
tc6393xb_template.h display: avoid multi-statement macro 2014-01-31 14:47:33 +00:00
tc6393xb.c Replace all occurances of __FUNCTION__ with __func__ 2018-01-22 09:46:18 +01:00
tcx.c memory: Rename memory_region_init_ram() to memory_region_init_ram_nomigrate() 2017-07-14 17:59:42 +01:00
trace-events hw/display/xenfb.c: Add trace_xenfb_key_event 2017-09-26 09:06:02 +03:00
vga_int.h hw/display/vga: "vga_int.h" requires "ui/console.h" 2017-12-18 17:07:02 +03:00
vga_regs.h hw/display/vga: "vga.h" only contains registers defs, rename it "vga_regs.h" 2017-12-18 17:07:02 +03:00
vga-helpers.h vga: stop passing pointers to vga_draw_line* functions 2017-09-01 13:52:43 +02:00
vga-isa-mm.c hw/display/vga: extract public API from i386/pc to "hw/display/vga.h" 2017-12-18 17:07:02 +03:00
vga-isa.c hw/display/vga: extract public API from i386/pc to "hw/display/vga.h" 2017-12-18 17:07:02 +03:00
vga-pci.c hw/display/vga: "vga_int.h" requires "ui/console.h" 2017-12-18 17:07:02 +03:00
vga.c vga: check the validation of memory addr when draw text 2018-01-25 10:18:39 +01:00
virtio-gpu-3d.c virtio-gpu: move virtio_gpu_gl_block 2017-05-12 12:02:48 +02:00
virtio-gpu-pci.c virtio-gpu-pci: tag as not hotpluggable 2016-09-13 09:26:58 +02:00
virtio-gpu.c virtio-gpu: fix bug in host memory calculation. 2017-11-10 11:05:19 +01:00
virtio-vga.c hw/display/vga: "vga_int.h" requires "ui/console.h" 2017-12-18 17:07:02 +03:00
vmware_vga.c hw/display/vga: "vga_int.h" requires "ui/console.h" 2017-12-18 17:07:02 +03:00
xenfb.c Replace all occurances of __FUNCTION__ with __func__ 2018-01-22 09:46:18 +01:00
xlnx_dp.c maint: Fix macros with broken 'do/while(0); ' usage 2018-01-16 14:54:52 +01:00