qemu/display at 3d90c6254863693a6b13d918d2b8682e08bbc681 - qemu - SynapseOS git

mirrors/qemu

History

Gerd Hoffmann 3d90c62548 vga: stop passing pointers to vga_draw_line* functions

Instead pass around the address (aka offset into vga memory).
Add vga_read_* helper functions which apply vbe_size_mask to
the address, to make sure the address stays within the valid
range, similar to the cirrus blitter fixes (commits ffaf857778
and 026aeffcb4).

Impact:  DoS for privileged guest users.  qemu crashes with
a segfault, when hitting the guard page after vga memory
allocation, while reading vga memory for display updates.

Fixes: CVE-2017-13672
Cc: P J P <ppandit@redhat.com>
Reported-by: David Buchanan <d@vidbuchanan.co.uk>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 20170828122906.18993-1-kraxel@redhat.com

2017-09-01 13:52:43 +02:00

..

ads7846.c

ssi: change ssi_slave_init to be a realize ops

2016-07-04 13:15:22 +01:00

bcm2835_fb.c

hw: explicitly include qemu/log.h

2016-05-19 16:42:29 +02:00

blizzard.c

hw/display/blizzard: Remove blizzard_template.h

2016-05-12 13:22:30 +01:00

cg3.c

hw: Use new memory_region_init_{ram, rom, rom_device}() functions

2017-07-14 17:59:42 +01:00

cirrus_vga_rop2.h

cirrus: fix PUTPIXEL macro

2017-03-27 12:14:45 +02:00

cirrus_vga_rop.h

cirrus: fix off-by-one in cirrus_bitblt_rop_bkwd_transp_*_16

2017-03-17 10:23:44 +01:00

cirrus_vga.c

cirrus: stop passing around src pointers in the blitter

2017-03-16 08:58:16 +01:00

dpcd.c

aux: Rename aux.[ch] to auxbus.[ch] for the benefit of Windows

2016-07-07 13:47:01 +01:00

exynos4210_fimd.c

exynos: make display updates thread safe

2017-04-24 10:12:28 +02:00

framebuffer.c

framebuffer: make display updates thread safe

2017-04-24 10:12:28 +02:00

framebuffer.h

framebuffer: set DIRTY_MEMORY_VGA on RAM that is used for the framebuffer

2015-07-24 13:57:45 +02:00

g364fb.c

g364fb: make display updates thread safe

2017-04-24 10:12:28 +02:00

jazz_led.c

jazz_led: fix bad snprintf

2017-05-10 10:19:24 +03:00

Makefile.objs

add opengl_cflags to QEMU_CFLAGS

2017-03-21 10:25:01 +00:00

milkymist-tmu2.c

lm32: milkymist-tmu2: fix a third integer overflow

2017-02-28 09:03:39 +03:00

milkymist-vgafb_template.h

milkymist-vgafb: swap pixel data in source buffer

2014-02-04 19:34:30 +01:00

milkymist-vgafb.c

milkymist: update specification URLs

2016-06-20 18:12:04 +02:00

omap_dss.c

hw/display: Clean up includes

2016-01-29 15:07:24 +00:00

omap_lcd_template.h

omap_lcdc: Remove support for DEPTH != 32

2016-05-12 13:22:24 +01:00

omap_lcdc.c

omap_lcdc: Remove support for DEPTH != 32

2016-05-12 13:22:24 +01:00

pl110_template.h

display: avoid multi-statement macro

2014-01-31 14:47:33 +00:00

pl110.c

hw/display: QOM'ify pl110.c

2016-10-24 16:26:56 +01:00

pxa2xx_lcd.c

arm: Clean up includes

2016-01-29 15:07:23 +00:00

pxa2xx_template.h

display: avoid multi-statement macro

2014-01-31 14:47:33 +00:00

qxl-logger.c

hw/display: Clean up includes

2016-01-29 15:07:24 +00:00

qxl-render.c

hw/display: Clean up includes

2016-01-29 15:07:24 +00:00

qxl.c

qxl: call qemu_spice_display_init_common for secondary devices

2017-08-15 15:04:51 +01:00

qxl.h

qxl: add xres and yres properties

2017-04-24 10:12:28 +02:00

sm501_template.h

sm501: Misc clean ups

2017-04-24 12:32:12 +01:00

sm501.c

hw/display/sm501: Don't use vmstate_register_ram_global()

2017-07-25 13:04:28 +01:00

ssd0303.c

i2c: Allow I2C devices to NAK start events

2017-01-09 11:40:20 +00:00

ssd0323.c

vmstateify ssd0323 display

2016-09-22 18:13:08 +01:00

tc6393xb_template.h

display: avoid multi-statement macro

2014-01-31 14:47:33 +00:00

tc6393xb.c

hw: Use new memory_region_init_{ram, rom, rom_device}() functions

2017-07-14 17:59:42 +01:00

tcx.c

memory: Rename memory_region_init_ram() to memory_region_init_ram_nomigrate()

2017-07-14 17:59:42 +01:00

trace-events

trace-events: fix code style: print 0x before hex numbers

2017-08-01 12:13:07 +01:00

vga_int.h

vga: stop passing pointers to vga_draw_line* functions

2017-09-01 13:52:43 +02:00

vga-helpers.h

vga: stop passing pointers to vga_draw_line* functions

2017-09-01 13:52:43 +02:00

vga-isa-mm.c

hw/display: Clean up includes

2016-01-29 15:07:24 +00:00

vga-isa.c

portio: keep references on portio

2016-09-08 18:05:21 +04:00

vga-pci.c

hw/display: Clean up includes

2016-01-29 15:07:24 +00:00

vga.c

vga: stop passing pointers to vga_draw_line* functions

2017-09-01 13:52:43 +02:00

vga.h

Clean up ill-advised or unusual header guards

2016-07-12 16:20:46 +02:00

virtio-gpu-3d.c

virtio-gpu: move virtio_gpu_gl_block

2017-05-12 12:02:48 +02:00

virtio-gpu-pci.c

virtio-gpu-pci: tag as not hotpluggable

2016-09-13 09:26:58 +02:00

virtio-gpu.c

virtio-gpu: use DIV_ROUND_UP

2017-08-31 12:29:07 +02:00

virtio-vga.c

virtio: rename the bar index field name in VirtIOPCIProxy

2016-10-08 11:25:29 +03:00

vmware_vga.c

hw: Use new memory_region_init_{ram, rom, rom_device}() functions

2017-07-14 17:59:42 +01:00

xenfb.c

xenfb: remove xen_init_display "temporary" hack

2017-07-07 11:10:03 -07:00

xlnx_dp.c

qom: enforce readonly nature of link's check callback

2017-07-14 12:04:42 +02:00