qemu/hw/display/virtio-gpu-3d.c
Li Qiang 42a8dadc74 virtio-gpu: fix information leak in getting capset info dispatch
In virgl_cmd_get_capset_info dispatch function, the 'resp' hasn't
been full initialized before writing to the guest. This will leak
the 'resp.padding' and 'resp.hdr.padding' fieds to the guest. This
patch fix this issue.

Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Message-id: 5818661e.0860240a.77264.7a56@mx.google.com
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-12-05 09:37:52 +01:00

610 lines
19 KiB
C

/*
* Virtio GPU Device
*
* Copyright Red Hat, Inc. 2013-2014
*
* Authors:
* Dave Airlie <airlied@redhat.com>
* Gerd Hoffmann <kraxel@redhat.com>
*
* This work is licensed under the terms of the GNU GPL, version 2 or later.
* See the COPYING file in the top-level directory.
*/
#include "qemu/osdep.h"
#include "qemu-common.h"
#include "qemu/iov.h"
#include "trace.h"
#include "hw/virtio/virtio.h"
#include "hw/virtio/virtio-gpu.h"
#include "qapi/error.h"
#ifdef CONFIG_VIRGL
#include <virglrenderer.h>
static struct virgl_renderer_callbacks virtio_gpu_3d_cbs;
static void virgl_cmd_create_resource_2d(VirtIOGPU *g,
struct virtio_gpu_ctrl_command *cmd)
{
struct virtio_gpu_resource_create_2d c2d;
struct virgl_renderer_resource_create_args args;
VIRTIO_GPU_FILL_CMD(c2d);
trace_virtio_gpu_cmd_res_create_2d(c2d.resource_id, c2d.format,
c2d.width, c2d.height);
args.handle = c2d.resource_id;
args.target = 2;
args.format = c2d.format;
args.bind = (1 << 1);
args.width = c2d.width;
args.height = c2d.height;
args.depth = 1;
args.array_size = 1;
args.last_level = 0;
args.nr_samples = 0;
args.flags = VIRTIO_GPU_RESOURCE_FLAG_Y_0_TOP;
virgl_renderer_resource_create(&args, NULL, 0);
}
static void virgl_cmd_create_resource_3d(VirtIOGPU *g,
struct virtio_gpu_ctrl_command *cmd)
{
struct virtio_gpu_resource_create_3d c3d;
struct virgl_renderer_resource_create_args args;
VIRTIO_GPU_FILL_CMD(c3d);
trace_virtio_gpu_cmd_res_create_3d(c3d.resource_id, c3d.format,
c3d.width, c3d.height, c3d.depth);
args.handle = c3d.resource_id;
args.target = c3d.target;
args.format = c3d.format;
args.bind = c3d.bind;
args.width = c3d.width;
args.height = c3d.height;
args.depth = c3d.depth;
args.array_size = c3d.array_size;
args.last_level = c3d.last_level;
args.nr_samples = c3d.nr_samples;
args.flags = c3d.flags;
virgl_renderer_resource_create(&args, NULL, 0);
}
static void virgl_cmd_resource_unref(VirtIOGPU *g,
struct virtio_gpu_ctrl_command *cmd)
{
struct virtio_gpu_resource_unref unref;
VIRTIO_GPU_FILL_CMD(unref);
trace_virtio_gpu_cmd_res_unref(unref.resource_id);
virgl_renderer_resource_unref(unref.resource_id);
}
static void virgl_cmd_context_create(VirtIOGPU *g,
struct virtio_gpu_ctrl_command *cmd)
{
struct virtio_gpu_ctx_create cc;
VIRTIO_GPU_FILL_CMD(cc);
trace_virtio_gpu_cmd_ctx_create(cc.hdr.ctx_id,
cc.debug_name);
virgl_renderer_context_create(cc.hdr.ctx_id, cc.nlen,
cc.debug_name);
}
static void virgl_cmd_context_destroy(VirtIOGPU *g,
struct virtio_gpu_ctrl_command *cmd)
{
struct virtio_gpu_ctx_destroy cd;
VIRTIO_GPU_FILL_CMD(cd);
trace_virtio_gpu_cmd_ctx_destroy(cd.hdr.ctx_id);
virgl_renderer_context_destroy(cd.hdr.ctx_id);
}
static void virtio_gpu_rect_update(VirtIOGPU *g, int idx, int x, int y,
int width, int height)
{
if (!g->scanout[idx].con) {
return;
}
dpy_gl_update(g->scanout[idx].con, x, y, width, height);
}
static void virgl_cmd_resource_flush(VirtIOGPU *g,
struct virtio_gpu_ctrl_command *cmd)
{
struct virtio_gpu_resource_flush rf;
int i;
VIRTIO_GPU_FILL_CMD(rf);
trace_virtio_gpu_cmd_res_flush(rf.resource_id,
rf.r.width, rf.r.height, rf.r.x, rf.r.y);
for (i = 0; i < g->conf.max_outputs; i++) {
if (g->scanout[i].resource_id != rf.resource_id) {
continue;
}
virtio_gpu_rect_update(g, i, rf.r.x, rf.r.y, rf.r.width, rf.r.height);
}
}
static void virgl_cmd_set_scanout(VirtIOGPU *g,
struct virtio_gpu_ctrl_command *cmd)
{
struct virtio_gpu_set_scanout ss;
struct virgl_renderer_resource_info info;
int ret;
VIRTIO_GPU_FILL_CMD(ss);
trace_virtio_gpu_cmd_set_scanout(ss.scanout_id, ss.resource_id,
ss.r.width, ss.r.height, ss.r.x, ss.r.y);
if (ss.scanout_id >= g->conf.max_outputs) {
qemu_log_mask(LOG_GUEST_ERROR, "%s: illegal scanout id specified %d",
__func__, ss.scanout_id);
cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_SCANOUT_ID;
return;
}
g->enable = 1;
memset(&info, 0, sizeof(info));
if (ss.resource_id && ss.r.width && ss.r.height) {
ret = virgl_renderer_resource_get_info(ss.resource_id, &info);
if (ret == -1) {
qemu_log_mask(LOG_GUEST_ERROR,
"%s: illegal resource specified %d\n",
__func__, ss.resource_id);
cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_RESOURCE_ID;
return;
}
qemu_console_resize(g->scanout[ss.scanout_id].con,
ss.r.width, ss.r.height);
virgl_renderer_force_ctx_0();
dpy_gl_scanout(g->scanout[ss.scanout_id].con, info.tex_id,
info.flags & 1 /* FIXME: Y_0_TOP */,
info.width, info.height,
ss.r.x, ss.r.y, ss.r.width, ss.r.height);
} else {
if (ss.scanout_id != 0) {
dpy_gfx_replace_surface(g->scanout[ss.scanout_id].con, NULL);
}
dpy_gl_scanout(g->scanout[ss.scanout_id].con, 0, false,
0, 0, 0, 0, 0, 0);
}
g->scanout[ss.scanout_id].resource_id = ss.resource_id;
}
static void virgl_cmd_submit_3d(VirtIOGPU *g,
struct virtio_gpu_ctrl_command *cmd)
{
struct virtio_gpu_cmd_submit cs;
void *buf;
size_t s;
VIRTIO_GPU_FILL_CMD(cs);
trace_virtio_gpu_cmd_ctx_submit(cs.hdr.ctx_id, cs.size);
buf = g_malloc(cs.size);
s = iov_to_buf(cmd->elem.out_sg, cmd->elem.out_num,
sizeof(cs), buf, cs.size);
if (s != cs.size) {
qemu_log_mask(LOG_GUEST_ERROR, "%s: size mismatch (%zd/%d)",
__func__, s, cs.size);
cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
goto out;
}
if (virtio_gpu_stats_enabled(g->conf)) {
g->stats.req_3d++;
g->stats.bytes_3d += cs.size;
}
virgl_renderer_submit_cmd(buf, cs.hdr.ctx_id, cs.size / 4);
out:
g_free(buf);
}
static void virgl_cmd_transfer_to_host_2d(VirtIOGPU *g,
struct virtio_gpu_ctrl_command *cmd)
{
struct virtio_gpu_transfer_to_host_2d t2d;
struct virtio_gpu_box box;
VIRTIO_GPU_FILL_CMD(t2d);
trace_virtio_gpu_cmd_res_xfer_toh_2d(t2d.resource_id);
box.x = t2d.r.x;
box.y = t2d.r.y;
box.z = 0;
box.w = t2d.r.width;
box.h = t2d.r.height;
box.d = 1;
virgl_renderer_transfer_write_iov(t2d.resource_id,
0,
0,
0,
0,
(struct virgl_box *)&box,
t2d.offset, NULL, 0);
}
static void virgl_cmd_transfer_to_host_3d(VirtIOGPU *g,
struct virtio_gpu_ctrl_command *cmd)
{
struct virtio_gpu_transfer_host_3d t3d;
VIRTIO_GPU_FILL_CMD(t3d);
trace_virtio_gpu_cmd_res_xfer_toh_3d(t3d.resource_id);
virgl_renderer_transfer_write_iov(t3d.resource_id,
t3d.hdr.ctx_id,
t3d.level,
t3d.stride,
t3d.layer_stride,
(struct virgl_box *)&t3d.box,
t3d.offset, NULL, 0);
}
static void
virgl_cmd_transfer_from_host_3d(VirtIOGPU *g,
struct virtio_gpu_ctrl_command *cmd)
{
struct virtio_gpu_transfer_host_3d tf3d;
VIRTIO_GPU_FILL_CMD(tf3d);
trace_virtio_gpu_cmd_res_xfer_fromh_3d(tf3d.resource_id);
virgl_renderer_transfer_read_iov(tf3d.resource_id,
tf3d.hdr.ctx_id,
tf3d.level,
tf3d.stride,
tf3d.layer_stride,
(struct virgl_box *)&tf3d.box,
tf3d.offset, NULL, 0);
}
static void virgl_resource_attach_backing(VirtIOGPU *g,
struct virtio_gpu_ctrl_command *cmd)
{
struct virtio_gpu_resource_attach_backing att_rb;
struct iovec *res_iovs;
int ret;
VIRTIO_GPU_FILL_CMD(att_rb);
trace_virtio_gpu_cmd_res_back_attach(att_rb.resource_id);
ret = virtio_gpu_create_mapping_iov(&att_rb, cmd, NULL, &res_iovs);
if (ret != 0) {
cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;
return;
}
virgl_renderer_resource_attach_iov(att_rb.resource_id,
res_iovs, att_rb.nr_entries);
}
static void virgl_resource_detach_backing(VirtIOGPU *g,
struct virtio_gpu_ctrl_command *cmd)
{
struct virtio_gpu_resource_detach_backing detach_rb;
struct iovec *res_iovs = NULL;
int num_iovs = 0;
VIRTIO_GPU_FILL_CMD(detach_rb);
trace_virtio_gpu_cmd_res_back_detach(detach_rb.resource_id);
virgl_renderer_resource_detach_iov(detach_rb.resource_id,
&res_iovs,
&num_iovs);
if (res_iovs == NULL || num_iovs == 0) {
return;
}
virtio_gpu_cleanup_mapping_iov(res_iovs, num_iovs);
}
static void virgl_cmd_ctx_attach_resource(VirtIOGPU *g,
struct virtio_gpu_ctrl_command *cmd)
{
struct virtio_gpu_ctx_resource att_res;
VIRTIO_GPU_FILL_CMD(att_res);
trace_virtio_gpu_cmd_ctx_res_attach(att_res.hdr.ctx_id,
att_res.resource_id);
virgl_renderer_ctx_attach_resource(att_res.hdr.ctx_id, att_res.resource_id);
}
static void virgl_cmd_ctx_detach_resource(VirtIOGPU *g,
struct virtio_gpu_ctrl_command *cmd)
{
struct virtio_gpu_ctx_resource det_res;
VIRTIO_GPU_FILL_CMD(det_res);
trace_virtio_gpu_cmd_ctx_res_detach(det_res.hdr.ctx_id,
det_res.resource_id);
virgl_renderer_ctx_detach_resource(det_res.hdr.ctx_id, det_res.resource_id);
}
static void virgl_cmd_get_capset_info(VirtIOGPU *g,
struct virtio_gpu_ctrl_command *cmd)
{
struct virtio_gpu_get_capset_info info;
struct virtio_gpu_resp_capset_info resp;
VIRTIO_GPU_FILL_CMD(info);
memset(&resp, 0, sizeof(resp));
if (info.capset_index == 0) {
resp.capset_id = VIRTIO_GPU_CAPSET_VIRGL;
virgl_renderer_get_cap_set(resp.capset_id,
&resp.capset_max_version,
&resp.capset_max_size);
} else {
resp.capset_max_version = 0;
resp.capset_max_size = 0;
}
resp.hdr.type = VIRTIO_GPU_RESP_OK_CAPSET_INFO;
virtio_gpu_ctrl_response(g, cmd, &resp.hdr, sizeof(resp));
}
static void virgl_cmd_get_capset(VirtIOGPU *g,
struct virtio_gpu_ctrl_command *cmd)
{
struct virtio_gpu_get_capset gc;
struct virtio_gpu_resp_capset *resp;
uint32_t max_ver, max_size;
VIRTIO_GPU_FILL_CMD(gc);
virgl_renderer_get_cap_set(gc.capset_id, &max_ver,
&max_size);
resp = g_malloc(sizeof(*resp) + max_size);
resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
virgl_renderer_fill_caps(gc.capset_id,
gc.capset_version,
(void *)resp->capset_data);
virtio_gpu_ctrl_response(g, cmd, &resp->hdr, sizeof(*resp) + max_size);
g_free(resp);
}
void virtio_gpu_virgl_process_cmd(VirtIOGPU *g,
struct virtio_gpu_ctrl_command *cmd)
{
VIRTIO_GPU_FILL_CMD(cmd->cmd_hdr);
cmd->waiting = g->renderer_blocked;
if (cmd->waiting) {
return;
}
virgl_renderer_force_ctx_0();
switch (cmd->cmd_hdr.type) {
case VIRTIO_GPU_CMD_CTX_CREATE:
virgl_cmd_context_create(g, cmd);
break;
case VIRTIO_GPU_CMD_CTX_DESTROY:
virgl_cmd_context_destroy(g, cmd);
break;
case VIRTIO_GPU_CMD_RESOURCE_CREATE_2D:
virgl_cmd_create_resource_2d(g, cmd);
break;
case VIRTIO_GPU_CMD_RESOURCE_CREATE_3D:
virgl_cmd_create_resource_3d(g, cmd);
break;
case VIRTIO_GPU_CMD_SUBMIT_3D:
virgl_cmd_submit_3d(g, cmd);
break;
case VIRTIO_GPU_CMD_TRANSFER_TO_HOST_2D:
virgl_cmd_transfer_to_host_2d(g, cmd);
break;
case VIRTIO_GPU_CMD_TRANSFER_TO_HOST_3D:
virgl_cmd_transfer_to_host_3d(g, cmd);
break;
case VIRTIO_GPU_CMD_TRANSFER_FROM_HOST_3D:
virgl_cmd_transfer_from_host_3d(g, cmd);
break;
case VIRTIO_GPU_CMD_RESOURCE_ATTACH_BACKING:
virgl_resource_attach_backing(g, cmd);
break;
case VIRTIO_GPU_CMD_RESOURCE_DETACH_BACKING:
virgl_resource_detach_backing(g, cmd);
break;
case VIRTIO_GPU_CMD_SET_SCANOUT:
virgl_cmd_set_scanout(g, cmd);
break;
case VIRTIO_GPU_CMD_RESOURCE_FLUSH:
virgl_cmd_resource_flush(g, cmd);
break;
case VIRTIO_GPU_CMD_RESOURCE_UNREF:
virgl_cmd_resource_unref(g, cmd);
break;
case VIRTIO_GPU_CMD_CTX_ATTACH_RESOURCE:
/* TODO add security */
virgl_cmd_ctx_attach_resource(g, cmd);
break;
case VIRTIO_GPU_CMD_CTX_DETACH_RESOURCE:
/* TODO add security */
virgl_cmd_ctx_detach_resource(g, cmd);
break;
case VIRTIO_GPU_CMD_GET_CAPSET_INFO:
virgl_cmd_get_capset_info(g, cmd);
break;
case VIRTIO_GPU_CMD_GET_CAPSET:
virgl_cmd_get_capset(g, cmd);
break;
case VIRTIO_GPU_CMD_GET_DISPLAY_INFO:
virtio_gpu_get_display_info(g, cmd);
break;
default:
cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;
break;
}
if (cmd->finished) {
return;
}
if (cmd->error) {
fprintf(stderr, "%s: ctrl 0x%x, error 0x%x\n", __func__,
cmd->cmd_hdr.type, cmd->error);
virtio_gpu_ctrl_response_nodata(g, cmd, cmd->error);
return;
}
if (!(cmd->cmd_hdr.flags & VIRTIO_GPU_FLAG_FENCE)) {
virtio_gpu_ctrl_response_nodata(g, cmd, VIRTIO_GPU_RESP_OK_NODATA);
return;
}
trace_virtio_gpu_fence_ctrl(cmd->cmd_hdr.fence_id, cmd->cmd_hdr.type);
virgl_renderer_create_fence(cmd->cmd_hdr.fence_id, cmd->cmd_hdr.type);
}
static void virgl_write_fence(void *opaque, uint32_t fence)
{
VirtIOGPU *g = opaque;
struct virtio_gpu_ctrl_command *cmd, *tmp;
QTAILQ_FOREACH_SAFE(cmd, &g->fenceq, next, tmp) {
/*
* the guest can end up emitting fences out of order
* so we should check all fenced cmds not just the first one.
*/
if (cmd->cmd_hdr.fence_id > fence) {
continue;
}
trace_virtio_gpu_fence_resp(cmd->cmd_hdr.fence_id);
virtio_gpu_ctrl_response_nodata(g, cmd, VIRTIO_GPU_RESP_OK_NODATA);
QTAILQ_REMOVE(&g->fenceq, cmd, next);
g_free(cmd);
g->inflight--;
if (virtio_gpu_stats_enabled(g->conf)) {
fprintf(stderr, "inflight: %3d (-)\r", g->inflight);
}
}
}
static virgl_renderer_gl_context
virgl_create_context(void *opaque, int scanout_idx,
struct virgl_renderer_gl_ctx_param *params)
{
VirtIOGPU *g = opaque;
QEMUGLContext ctx;
QEMUGLParams qparams;
qparams.major_ver = params->major_ver;
qparams.minor_ver = params->minor_ver;
ctx = dpy_gl_ctx_create(g->scanout[scanout_idx].con, &qparams);
return (virgl_renderer_gl_context)ctx;
}
static void virgl_destroy_context(void *opaque, virgl_renderer_gl_context ctx)
{
VirtIOGPU *g = opaque;
QEMUGLContext qctx = (QEMUGLContext)ctx;
dpy_gl_ctx_destroy(g->scanout[0].con, qctx);
}
static int virgl_make_context_current(void *opaque, int scanout_idx,
virgl_renderer_gl_context ctx)
{
VirtIOGPU *g = opaque;
QEMUGLContext qctx = (QEMUGLContext)ctx;
return dpy_gl_ctx_make_current(g->scanout[scanout_idx].con, qctx);
}
static struct virgl_renderer_callbacks virtio_gpu_3d_cbs = {
.version = 1,
.write_fence = virgl_write_fence,
.create_gl_context = virgl_create_context,
.destroy_gl_context = virgl_destroy_context,
.make_current = virgl_make_context_current,
};
static void virtio_gpu_print_stats(void *opaque)
{
VirtIOGPU *g = opaque;
if (g->stats.requests) {
fprintf(stderr, "stats: vq req %4d, %3d -- 3D %4d (%5d)\n",
g->stats.requests,
g->stats.max_inflight,
g->stats.req_3d,
g->stats.bytes_3d);
g->stats.requests = 0;
g->stats.max_inflight = 0;
g->stats.req_3d = 0;
g->stats.bytes_3d = 0;
} else {
fprintf(stderr, "stats: idle\r");
}
timer_mod(g->print_stats, qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL) + 1000);
}
static void virtio_gpu_fence_poll(void *opaque)
{
VirtIOGPU *g = opaque;
virgl_renderer_poll();
virtio_gpu_process_cmdq(g);
if (!QTAILQ_EMPTY(&g->cmdq) || !QTAILQ_EMPTY(&g->fenceq)) {
timer_mod(g->fence_poll, qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL) + 10);
}
}
void virtio_gpu_virgl_fence_poll(VirtIOGPU *g)
{
virtio_gpu_fence_poll(g);
}
void virtio_gpu_virgl_reset(VirtIOGPU *g)
{
int i;
/* virgl_renderer_reset() ??? */
for (i = 0; i < g->conf.max_outputs; i++) {
if (i != 0) {
dpy_gfx_replace_surface(g->scanout[i].con, NULL);
}
dpy_gl_scanout(g->scanout[i].con, 0, false, 0, 0, 0, 0, 0, 0);
}
}
int virtio_gpu_virgl_init(VirtIOGPU *g)
{
int ret;
ret = virgl_renderer_init(g, 0, &virtio_gpu_3d_cbs);
if (ret != 0) {
return ret;
}
g->fence_poll = timer_new_ms(QEMU_CLOCK_VIRTUAL,
virtio_gpu_fence_poll, g);
if (virtio_gpu_stats_enabled(g->conf)) {
g->print_stats = timer_new_ms(QEMU_CLOCK_VIRTUAL,
virtio_gpu_print_stats, g);
timer_mod(g->print_stats, qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL) + 1000);
}
return 0;
}
#endif /* CONFIG_VIRGL */