From nobody Sat Oct 25 23:42:35 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 15156771163294.255278321897549; Thu, 11 Jan 2018 05:25:16 -0800 (PST) Received: from localhost ([::1]:43099 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eZcr3-0000HV-JJ for importer@patchew.org; Thu, 11 Jan 2018 08:25:13 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:43814) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eZcod-0007TL-OG for qemu-devel@nongnu.org; Thu, 11 Jan 2018 08:22:44 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eZcoa-0003JV-Kc for qemu-devel@nongnu.org; Thu, 11 Jan 2018 08:22:43 -0500 Received: from szxga05-in.huawei.com ([45.249.212.191]:2066 helo=huawei.com) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1eZcoa-00038v-7Y for qemu-devel@nongnu.org; Thu, 11 Jan 2018 08:22:40 -0500 Received: from DGGEMS410-HUB.china.huawei.com (unknown [172.30.72.59]) by Forcepoint Email with ESMTP id 36F502A1B5315; Thu, 11 Jan 2018 21:22:18 +0800 (CST) Received: from localhost (10.177.131.80) by DGGEMS410-HUB.china.huawei.com (10.3.19.210) with Microsoft SMTP Server id 14.3.361.1; Thu, 11 Jan 2018 21:22:13 +0800 From: linzhecheng To: , Date: Thu, 11 Jan 2018 21:21:40 +0800 Message-ID: <20180111132140.34668-1-linzhecheng@huawei.com> X-Mailer: git-send-email 2.12.2.windows.2 MIME-Version: 1.0 X-Originating-IP: [10.177.131.80] X-CFilter-Loop: Reflected X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [fuzzy] X-Received-From: 45.249.212.191 Subject: [Qemu-devel] [PATCH v2] vga: check the validation of memory addr when draw text X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: linzhecheng , wangxinxin.wang@huawei.com, arei.gonglei@huawei.com, kraxel@redhat.com, fangying , fabrice@bellard.org Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: fangying Start a vm with qemu-kvm -enable-kvm -vnc :66 -smp 1 -m 1024 -hda redhat_5.11.qcow2 -device pcnet -vga cirrus, then use VNC client to connect to VM, and excute the code below in guest OS will lead to qemu crash: int main() { iopl(3); srand(time(NULL)); int a,b; while(1){ a =3D rand()%0x100; b =3D 0x3c0 + (rand()%0x20); outb(a,b); } return 0; } The above code is writing the registers of VGA randomly. We can write VGA CRT controller registers index 0x0C or 0x0D (which is the start address register) to modify the the display memory address of the upper left pixel or character of the screen. The address may be out of the range of vga ram. So we should check the validation of memory address when reading or writing it to avoid segfault. Signed-off-by: linzhecheng --- hw/display/vga.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hw/display/vga.c b/hw/display/vga.c index a041200..6e78a4e 100644 --- a/hw/display/vga.c +++ b/hw/display/vga.c @@ -1279,6 +1279,9 @@ static void vga_draw_text(VGACommonState *s, int full= _update) cx_min =3D width; cx_max =3D -1; for(cx =3D 0; cx < width; cx++) { + if (src + sizeof(uint16_t) > s->vram_ptr + s->vram_size) { + break; + } ch_attr =3D *(uint16_t *)src; if (full_update || ch_attr !=3D *ch_attr_ptr || src =3D=3D cur= sor_ptr) { if (cx < cx_min) --=20 1.8.3.1