[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-commits] [qemu/qemu] 61c34f: hw/display/qxl: Have qxl_log_command
From: |
Paolo Bonzini |
Subject: |
[Qemu-commits] [qemu/qemu] 61c34f: hw/display/qxl: Have qxl_log_command Return early ... |
Date: |
Tue, 29 Nov 2022 15:18:03 -0800 |
Branch: refs/heads/master
Home: https://github.com/qemu/qemu
Commit: 61c34fc194b776ecadc39fb26b061331107e5599
https://github.com/qemu/qemu/commit/61c34fc194b776ecadc39fb26b061331107e5599
Author: Philippe Mathieu-Daudé <philmd@linaro.org>
Date: 2022-11-29 (Tue, 29 Nov 2022)
Changed paths:
M hw/display/qxl-logger.c
Log Message:
-----------
hw/display/qxl: Have qxl_log_command Return early if no log_cmd handler
Only 3 command types are logged: no need to call qxl_phys2virt()
for the other types. Using different cases will help to pass
different structure sizes to qxl_phys2virt() in a pair of commits.
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-Id: <20221128202741.4945-2-philmd@linaro.org>
Commit: b1901de83a9456cde26fc755f71ca2b7b3ef50fc
https://github.com/qemu/qemu/commit/b1901de83a9456cde26fc755f71ca2b7b3ef50fc
Author: Philippe Mathieu-Daudé <philmd@linaro.org>
Date: 2022-11-29 (Tue, 29 Nov 2022)
Changed paths:
M hw/display/qxl.h
Log Message:
-----------
hw/display/qxl: Document qxl_phys2virt()
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-Id: <20221128202741.4945-3-philmd@linaro.org>
Commit: 8efec0ef8bbc1e75a7ebf6e325a35806ece9b39f
https://github.com/qemu/qemu/commit/8efec0ef8bbc1e75a7ebf6e325a35806ece9b39f
Author: Philippe Mathieu-Daudé <philmd@linaro.org>
Date: 2022-11-29 (Tue, 29 Nov 2022)
Changed paths:
M hw/display/qxl-logger.c
M hw/display/qxl-render.c
M hw/display/qxl.c
M hw/display/qxl.h
Log Message:
-----------
hw/display/qxl: Pass requested buffer size to qxl_phys2virt()
Currently qxl_phys2virt() doesn't check for buffer overrun.
In order to do so in the next commit, pass the buffer size
as argument.
For QXLCursor in qxl_render_cursor() -> qxl_cursor() we
verify the size of the chunked data ahead, checking we can
access 'sizeof(QXLCursor) + chunk->data_size' bytes.
Since in the SPICE_CURSOR_TYPE_MONO case the cursor is
assumed to fit in one chunk, no change are required.
In SPICE_CURSOR_TYPE_ALPHA the ahead read is handled in
qxl_unpack_chunks().
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-Id: <20221128202741.4945-4-philmd@linaro.org>
Commit: 6dbbf055148c6f1b7d8a3251a65bd6f3d1e1f622
https://github.com/qemu/qemu/commit/6dbbf055148c6f1b7d8a3251a65bd6f3d1e1f622
Author: Philippe Mathieu-Daudé <philmd@linaro.org>
Date: 2022-11-29 (Tue, 29 Nov 2022)
Changed paths:
M hw/display/qxl.c
M hw/display/qxl.h
Log Message:
-----------
hw/display/qxl: Avoid buffer overrun in qxl_phys2virt (CVE-2022-4144)
Have qxl_get_check_slot_offset() return false if the requested
buffer size does not fit within the slot memory region.
Similarly qxl_phys2virt() now returns NULL in such case, and
qxl_dirty_one_surface() aborts.
This avoids buffer overrun in the host pointer returned by
memory_region_get_ram_ptr().
Fixes: CVE-2022-4144 (out-of-bounds read)
Reported-by: Wenxu Yin (@awxylitol)
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1336
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-Id: <20221128202741.4945-5-philmd@linaro.org>
Commit: 86fdb0582c653a9824183679403a85f588260d62
https://github.com/qemu/qemu/commit/86fdb0582c653a9824183679403a85f588260d62
Author: Philippe Mathieu-Daudé <philmd@linaro.org>
Date: 2022-11-29 (Tue, 29 Nov 2022)
Changed paths:
M hw/display/qxl.c
Log Message:
-----------
hw/display/qxl: Assert memory slot fits in preallocated MemoryRegion
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-Id: <20221128202741.4945-6-philmd@linaro.org>
Commit: 7103895123d580bbe93e341241d200e75d8996a1
https://github.com/qemu/qemu/commit/7103895123d580bbe93e341241d200e75d8996a1
Author: Stefan Hajnoczi <stefanha@redhat.com>
Date: 2022-11-29 (Tue, 29 Nov 2022)
Changed paths:
M block/block-backend.c
Log Message:
-----------
block-backend: avoid bdrv_unregister_buf() NULL pointer deref
bdrv_*() APIs expect a valid BlockDriverState. Calling them with bs=NULL
leads to undefined behavior.
Jonathan Cameron reported this following NULL pointer dereference when a
VM with a virtio-blk device and a memory-backend-file object is
terminated:
1. qemu_cleanup() closes all drives, setting blk->root to NULL
2. qemu_cleanup() calls user_creatable_cleanup(), which results in a RAM
block notifier callback because the memory-backend-file is destroyed.
3. blk_unregister_buf() is called by virtio-blk's BlockRamRegistrar
notifier callback and undefined behavior occurs.
Fixes: baf422684d73 ("virtio-blk: use BDRV_REQ_REGISTERED_BUF optimization
hint")
Co-authored-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-Id: <20221121211923.1993171-1-stefanha@redhat.com>
Commit: 475e56b630669db02994c1e7fbd3c6e3468e9c1e
https://github.com/qemu/qemu/commit/475e56b630669db02994c1e7fbd3c6e3468e9c1e
Author: Evgeny Ermakov <evgeny.v.ermakov@gmail.com>
Date: 2022-11-29 (Tue, 29 Nov 2022)
Changed paths:
M target/arm/cpu.c
M target/arm/cpu_tcg.c
M target/arm/internals.h
Log Message:
-----------
target/arm: Set TCGCPUOps.restore_state_to_opc for v7m
This setting got missed, breaking v7m.
Fixes: 56c6c98df85c ("target/arm: Convert to tcg_ops restore_state_to_opc")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1347
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Evgeny Ermakov <evgeny.v.ermakov@gmail.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-Id: <20221129204146.550394-1-richard.henderson@linaro.org>
Commit: c4ffd91aba1c3d878e99a3e7ba8aad4826728ece
https://github.com/qemu/qemu/commit/c4ffd91aba1c3d878e99a3e7ba8aad4826728ece
Author: Stefan Hajnoczi <stefanha@redhat.com>
Date: 2022-11-29 (Tue, 29 Nov 2022)
Changed paths:
M VERSION
Log Message:
-----------
Update VERSION for v7.2.0-rc3
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Compare: https://github.com/qemu/qemu/compare/ecbb6bd865d2...c4ffd91aba1c
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Qemu-commits] [qemu/qemu] 61c34f: hw/display/qxl: Have qxl_log_command Return early ...,
Paolo Bonzini <=