[Qemu-devel] [PULL for-2.9 0/7] cirrus: more blitter security fixes.

Gerd Hoffmann posted 7 patches 7 years ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/1489656642-12925-1-git-send-email-kraxel@redhat.com
Test checkpatch passed
Test docker passed
Test s390x passed
hw/display/cirrus_vga.c      | 106 ++++++++++++++++--------
hw/display/cirrus_vga_rop.h  | 191 ++++++++++++++++++++++++++-----------------
hw/display/cirrus_vga_rop2.h | 125 ++++++++++++++--------------
include/hw/compat.h          |   8 ++
include/ui/console.h         |   7 --
ui/console.c                 |  28 -------
ui/vnc.c                     | 100 ----------------------
7 files changed, 259 insertions(+), 306 deletions(-)
[Qemu-devel] [PULL for-2.9 0/7] cirrus: more blitter security fixes.
Posted by Gerd Hoffmann 7 years ago
  Hi,

Another pile of cirrus blitter fixes, including cve fixes for known
issues, so clearly 2.9 material.

Patches 6+7 implement a new approach to blitter memory access sanity
checking.  We pass around offsets not pointers, and at the place where
the actual memory access happens we mask the offset to the valid
range before calculating the pointer.

That should put an end to security holes due to blit_is_unsafe() sanity
checks failing to calculate some special case correctly, or due to
blit_is_unsafe() calls missing, and kill any dragons which might still
be lurking in the code.  In theory this even obsoletes blit_is_unsafe(),
but I don't feel like ripping it out right away ...

please pull,
  Gerd

The following changes since commit 1883ff34b540daacae948f493b0ba525edf5f642:

  Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging (2017-03-15 18:44:05 +0000)

are available in the git repository at:


  git://git.kraxel.org/qemu tags/pull-cirrus-20170316-1

for you to fetch changes up to ffaf857778286ca54e3804432a2369a279e73aa7:

  cirrus: stop passing around src pointers in the blitter (2017-03-16 08:58:16 +0100)

----------------------------------------------------------------
cirrus: blitter fixes.

----------------------------------------------------------------
Gerd Hoffmann (6):
      cirrus/vnc: zap bitblit support from console code.
      cirrus: switch to 4 MB video memory by default
      cirrus: add option to disable blitter
      cirrus: fix cirrus_invalidate_region
      cirrus: stop passing around dst pointers in the blitter
      cirrus: stop passing around src pointers in the blitter

hangaohuai (1):
      fix :cirrus_vga fix OOB read case qemu Segmentation fault

 hw/display/cirrus_vga.c      | 106 ++++++++++++++++--------
 hw/display/cirrus_vga_rop.h  | 191 ++++++++++++++++++++++++++-----------------
 hw/display/cirrus_vga_rop2.h | 125 ++++++++++++++--------------
 include/hw/compat.h          |   8 ++
 include/ui/console.h         |   7 --
 ui/console.c                 |  28 -------
 ui/vnc.c                     | 100 ----------------------
 7 files changed, 259 insertions(+), 306 deletions(-)

Re: [Qemu-devel] [PULL for-2.9 0/7] cirrus: more blitter security fixes.
Posted by Peter Maydell 7 years ago
On 16 March 2017 at 09:30, Gerd Hoffmann <kraxel@redhat.com> wrote:
>   Hi,
>
> Another pile of cirrus blitter fixes, including cve fixes for known
> issues, so clearly 2.9 material.
>
> Patches 6+7 implement a new approach to blitter memory access sanity
> checking.  We pass around offsets not pointers, and at the place where
> the actual memory access happens we mask the offset to the valid
> range before calculating the pointer.
>
> That should put an end to security holes due to blit_is_unsafe() sanity
> checks failing to calculate some special case correctly, or due to
> blit_is_unsafe() calls missing, and kill any dragons which might still
> be lurking in the code.  In theory this even obsoletes blit_is_unsafe(),
> but I don't feel like ripping it out right away ...
>
> please pull,
>   Gerd
>
> The following changes since commit 1883ff34b540daacae948f493b0ba525edf5f642:
>
>   Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging (2017-03-15 18:44:05 +0000)
>
> are available in the git repository at:
>
>
>   git://git.kraxel.org/qemu tags/pull-cirrus-20170316-1
>
> for you to fetch changes up to ffaf857778286ca54e3804432a2369a279e73aa7:
>
>   cirrus: stop passing around src pointers in the blitter (2017-03-16 08:58:16 +0100)
>
> ----------------------------------------------------------------
> cirrus: blitter fixes.
>

Applied, thanks.

-- PMM