qemu/hw
Gerd Hoffmann 95280c31cd cirrus: fix patterncopy checks
The blit_region_is_unsafe checks don't work correctly for the
patterncopy source.  It's a fixed-sized region, which doesn't
depend on cirrus_blt_{width,height}.  So go do the check in
cirrus_bitblt_common_patterncopy instead, then tell blit_is_unsafe that
it doesn't need to verify the source.  Also handle the case where we
blit from cirrus_bitbuf correctly.

This patch replaces 5858dd1801.

Security impact:  I think for the most part error on the safe side this
time, refusing blits which should have been allowed.

Only exception is placing the blit source at the end of the video ram,
so cirrus_blt_srcaddr + 256 goes beyond the end of video memory.  But
even in that case I'm not fully sure this actually allows read access to
host memory.  To trick the commit 5858dd18 security checks one has to
pick very small cirrus_blt_{width,height} values, which in turn implies
only a fraction of the blit source will actually be used.

Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
Cc: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Reviewed-by: Laurent Vivier <lvivier@redhat.com>
Message-id: 1486645341-5010-1-git-send-email-kraxel@redhat.com
2017-02-10 16:49:45 +01:00
..
9pfs This pull request fixes a 2.9 regression and a long standing bug that can 2017-01-25 17:54:14 +00:00
acpi machine: Make possible_cpu_arch_ids() return const pointer 2017-01-23 21:25:37 -02:00
adc STM32F2xx: Add the ADC device 2016-10-04 13:28:07 +01:00
alpha Move target-* CPU file into a target/ folder 2016-12-20 21:52:12 +01:00
arm stellaris: Use the 'unimplemented' device for parts we don't implement 2017-02-07 18:55:15 +00:00
audio es1370: wire up reset via DeviceClass 2017-01-11 09:19:03 +01:00
block -----BEGIN PGP SIGNATURE----- 2017-02-02 16:08:28 +00:00
bt chardev: qom-ify 2017-01-27 18:08:00 +01:00
char Split serial-isa into its own config option 2017-02-06 12:33:21 +11:00
core vmstate registration: check return values 2017-02-06 13:36:49 +01:00
cpu Introduce DEVICE_CATEGORY_CPU for CPU devices 2017-01-27 18:07:31 +01:00
cris cris: Fix broken header guard in hw/cris/boot.h 2016-07-12 16:20:46 +02:00
display cirrus: fix patterncopy checks 2017-02-10 16:49:45 +01:00
dma dma: omap: check dma channel data_type 2017-01-27 15:29:08 +00:00
gpio hw/gpio: QOM'ify mpc8xxx.c 2017-01-31 10:10:13 +11:00
i2c arm: Uniquely name imx25 I2C buses. 2017-01-20 11:15:06 +00:00
i386 Xen 2017/02/02 2017-02-03 12:31:40 +00:00
ide xen-platform: add missing disk unplug option 2017-01-27 15:23:29 -08:00
input -----BEGIN PGP SIGNATURE----- 2017-02-02 16:08:28 +00:00
intc vmstate_register_with_alias_id: Take an Error ** 2017-02-06 13:36:49 +01:00
ipack ipack: Update e-mail address 2016-05-18 15:04:27 +03:00
ipmi ipmi: fix qemu crash while migrating with ipmi 2016-11-18 17:50:09 +02:00
isa Allow ISA bus to be configured out 2017-02-06 12:33:21 +11:00
lm32 char: rename CharDriverState Chardev 2017-01-27 18:07:59 +01:00
m68k m68k: QOMify the MCF Fast Ethernet Controller device 2017-01-20 10:36:38 +08:00
mem pc: memhp: enable nvdimm device hotplug 2016-11-01 19:21:09 +02:00
microblaze clean-up: removed duplicate #includes 2016-10-28 18:17:24 +03:00
mips char: rename CharDriverState Chardev 2017-01-27 18:07:59 +01:00
misc hw/misc: New "unimplemented" sysbus device 2017-02-07 18:55:15 +00:00
moxie hw: explicitly include qemu-common.h and cpu.h 2016-03-22 22:20:17 +01:00
net -----BEGIN PGP SIGNATURE----- 2017-02-02 16:08:28 +00:00
nios2 nios2: Add Altera 10M50 GHRD emulation 2017-01-24 13:10:35 -08:00
nvram migration: extend VMStateInfo 2017-01-24 17:54:47 +00:00
openrisc hw: explicitly include qemu-common.h and cpu.h 2016-03-22 22:20:17 +01:00
pci pci: Convert msix_init() to Error and fix callers 2017-02-01 03:37:18 +02:00
pci-bridge ppc patch queue 2017-02-02 2017-02-02 18:48:06 +00:00
pci-host ppc: Make uninorth interrupt swizzling identical to Grackle 2016-11-23 12:00:48 +11:00
pcmcia hw: Clean up includes 2016-01-29 15:07:25 +00:00
ppc hw/ppc/pnv: Use error_report instead of hw_error if a ROM file can't be found 2017-02-02 09:30:07 +11:00
s390x s390x/kvm: fix small race reboot vs. cmma 2017-02-01 09:11:56 +01:00
scsi pci: Convert msix_init() to Error and fix callers 2017-02-01 03:37:18 +02:00
sd sd: sdhci: check data length during dma_memory_read 2017-02-07 18:29:59 +00:00
sh4 cputlb: drop flush_global flag from tlb_flush 2017-01-13 14:24:37 +00:00
smbios stubs: move smbios stubs to hw/smbios 2017-01-16 17:52:35 +01:00
sparc fw_cfg: move FW_CFG_NB_CPUS out of fw_cfg_init1() 2016-11-16 12:09:58 -02:00
sparc64 target-sparc: fix up niagara machine 2017-01-18 22:03:44 +01:00
ssi aspeed/smc: handle dummy bytes when doing fast reads in command mode 2017-01-27 15:20:20 +00:00
timer Split ISA and sysbus versions of m48t59 device 2017-02-06 12:33:21 +11:00
tpm clean-up: removed duplicate #includes 2016-10-28 18:17:24 +03:00
tricore tricore: remove useless cast 2016-09-15 15:32:22 +03:00
unicore32 clean-up: removed duplicate #includes 2016-10-28 18:17:24 +03:00
usb xhci: fix event queue IRQ handling 2017-02-06 12:12:26 +01:00
vfio -----BEGIN PGP SIGNATURE----- 2017-02-02 16:08:28 +00:00
virtio vhost: skip ROM sections 2017-02-01 03:37:18 +02:00
watchdog wdt: Add Aspeed watchdog device model 2017-02-07 18:29:59 +00:00
xen Xen 2017/02/02 2017-02-03 12:31:40 +00:00
xenpv xenpv: Fix qemu_uuid compiling error 2016-09-29 11:43:17 +08:00
xtensa target/xtensa: refactor CCOUNT/CCOMPARE 2017-01-15 13:01:55 -08:00
Makefile.objs acpi: filter based on CONFIG_ACPI_X86 rather than TARGET 2017-01-16 17:52:35 +01:00