falso
/
qemu-irix
mirror of https://github.com/n64decomp/qemu-irix.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
qemu-irix/hw/display
History
Gerd Hoffmann 670ddcc0aa cirrus: fix patterncopy checks 
The blit_region_is_unsafe checks don't work correctly for the
patterncopy source.  It's a fixed-sized region, which doesn't
depend on cirrus_blt_{width,height}.  So go do the check in
cirrus_bitblt_common_patterncopy instead, then tell blit_is_unsafe that
it doesn't need to verify the source.  Also handle the case where we
blit from cirrus_bitbuf correctly.

This patch replaces 5858dd1801.

Security impact:  I think for the most part error on the safe side this
time, refusing blits which should have been allowed.

Only exception is placing the blit source at the end of the video ram,
so cirrus_blt_srcaddr + 256 goes beyond the end of video memory.  But
even in that case I'm not fully sure this actually allows read access to
host memory.  To trick the commit 5858dd18 security checks one has to
pick very small cirrus_blt_{width,height} values, which in turn implies
only a fraction of the blit source will actually be used.

Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
Cc: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Reviewed-by: Laurent Vivier <lvivier@redhat.com>
Message-id: 1486645341-5010-1-git-send-email-kraxel@redhat.com
(cherry picked from commit 95280c31cd)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
 		2017-03-21 15:02:29 -05:00
..
Makefile.objs
ads7846.c
bcm2835_fb.c
blizzard.c
cg3.c
cirrus_vga.c cirrus: fix patterncopy checks 2017-03-21 15:02:29 -05:00
cirrus_vga_rop.h
cirrus_vga_rop2.h
dpcd.c
exynos4210_fimd.c
framebuffer.c
framebuffer.h
g364fb.c
jazz_led.c
milkymist-tmu2.c lm32: milkymist-tmu2: fix integer overflow 2016-10-28 18:17:23 +03:00
milkymist-vgafb.c
milkymist-vgafb_template.h
omap_dss.c
omap_lcd_template.h
omap_lcdc.c
pl110.c hw/display: QOM'ify pl110.c 2016-10-24 16:26:56 +01:00
pl110_template.h
pxa2xx_lcd.c
pxa2xx_template.h
qxl-logger.c
qxl-render.c
qxl.c qxl: Only emit QXL_INTERRUPT_CLIENT_MONITORS_CONFIG on config changes 2016-12-05 09:37:52 +01:00
qxl.h
sm501.c
sm501_template.h
ssd0303.c
ssd0323.c
tc6393xb.c
tc6393xb_template.h
tcx.c
trace-events
vga-helpers.h
vga-isa-mm.c
vga-isa.c
vga-pci.c
vga.c
vga.h
vga_int.h
virtio-gpu-3d.c virtio-gpu: fix information leak in getting capset info dispatch 2016-12-05 09:37:52 +01:00
virtio-gpu-pci.c
virtio-gpu.c virtio-gpu: fix memory leak in update_cursor_data_virgl 2016-12-05 09:37:52 +01:00
virtio-vga.c
vmware_vga.c
xenfb.c xen: Rename xen_be_find_xendev 2016-10-28 17:54:39 -07:00
xlnx_dp.c