1. 16 3月, 2017 5 次提交
    • G
      cirrus: stop passing around dst pointers in the blitter · 026aeffc
      Gerd Hoffmann 提交于
      Instead pass around the address (aka offset into vga memory).  Calculate
      the pointer in the rop_* functions, after applying the mask to the
      address, to make sure the address stays within the valid range.
      Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
      Message-id: 1489574872-8679-1-git-send-email-kraxel@redhat.com
      026aeffc
    • G
      cirrus: fix cirrus_invalidate_region · e048dac6
      Gerd Hoffmann 提交于
      off_cur_end is exclusive, so off_cur_end == cirrus_addr_mask is valid.
      Fix calculation to make sure to allow that, otherwise the assert added
      by commit f153b563 can trigger for valid
      blits.
      
      Test case: boot windows nt 4.0
      Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
      Message-id: 1489579606-26020-1-git-send-email-kraxel@redhat.com
      e048dac6
    • G
      cirrus: add option to disable blitter · 827bd517
      Gerd Hoffmann 提交于
      Ok, we have this beast in the cirrus code which is not used at all by
      modern guests, except when you try to find security holes in qemu.  So,
      add an option to disable blitter altogether.  Guests released within
      the last ten years should not show any rendering issues if you turn off
      blitter support.
      
      There are no known bugs in the cirrus blitter code.  But in the past we
      hoped a few times already that we've finally nailed the last issue.  So
      having some easy way to mitigate in case yet another blitter issue shows
      up certainly makes me sleep a bit better at night.
      
      For completeness:  The by far better way to mitigate is to switch away
      from cirrus and use stdvga instead.  Or something more modern like
      virtio-vga in case your guest has support for it.
      Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
      Message-id: 1489494540-15745-1-git-send-email-kraxel@redhat.com
      827bd517
    • G
      cirrus: switch to 4 MB video memory by default · 73c14813
      Gerd Hoffmann 提交于
      Quoting cirrus source code:
         Follow real hardware, cirrus card emulated has 4 MB video memory.
         Also accept 8 MB/16 MB for backward compatibility.
      
      So just use 4MB by default.  We decided to leave that at 8MB by default
      a while ago, for live migration compatibility reasons.  But we have
      compat properties to handle that, so that isn't a compeling reason.
      
      This also removes some sanity check inconsistencies in the cirrus code.
      Some places check against the allocated video memory, some places check
      against the 4MB physical hardware has.  Guest code can trigger asserts
      because of that.
      Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
      Message-id: 1489494514-15606-1-git-send-email-kraxel@redhat.com
      73c14813
    • G
      cirrus/vnc: zap bitblit support from console code. · 50628d34
      Gerd Hoffmann 提交于
      There is a special code path (dpy_gfx_copy) to allow graphic emulation
      notify user interface code about bitblit operations carryed out by
      guests.  It is supported by cirrus and vnc server.  The intended purpose
      is to optimize display scrolls and just send over the scroll op instead
      of a full display update.
      
      This is rarely used these days though because modern guests simply don't
      use the cirrus blitter any more.  Any linux guest using the cirrus drm
      driver doesn't.  Any windows guest newer than winxp doesn't ship with a
      cirrus driver any more and thus uses the cirrus as simple framebuffer.
      
      So this code tends to bitrot and bugs can go unnoticed for a long time.
      See for example commit "3e10c3ec vnc: fix qemu crash because of SIGSEGV"
      which fixes a bug lingering in the code for almost a year, added by
      commit "c7628bff vnc: only alloc server surface with clients connected".
      
      Also the vnc server will throttle the frame rate in case it figures the
      network can't keep up (send buffers are full).  This doesn't work with
      dpy_gfx_copy, for any copy operation sent to the vnc client we have to
      send all outstanding updates beforehand, otherwise the vnc client might
      run the client side blit on outdated data and thereby corrupt the
      display.  So this dpy_gfx_copy "optimization" might even make things
      worse on slow network links.
      
      Lets kill it once for all.
      
      Oh, and one more reason: Turns out (after writing the patch) we have a
      security bug in that code path ...
      
      Fixes: CVE-2016-9603
      Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
      Message-id: 1489494419-14340-1-git-send-email-kraxel@redhat.com
      50628d34
  2. 24 2月, 2017 1 次提交
  3. 10 2月, 2017 3 次提交
  4. 02 2月, 2017 1 次提交
    • L
      cirrus: fix oob access issue (CVE-2017-2615) · 62d4c6bd
      Li Qiang 提交于
      When doing bitblt copy in backward mode, we should minus the
      blt width first just like the adding in the forward mode. This
      can avoid the oob access of the front of vga's vram.
      Signed-off-by: NLi Qiang <liqiang6-s@360.cn>
      
      { kraxel: with backward blits (negative pitch) addr is the topmost
                address, so check it as-is against vram size ]
      
      Cc: qemu-stable@nongnu.org
      Cc: P J P <ppandit@redhat.com>
      Cc: Laszlo Ersek <lersek@redhat.com>
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
      Fixes: d3532a0d (CVE-2014-8106)
      Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
      Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com
      Reviewed-by: NLaszlo Ersek <lersek@redhat.com>
      62d4c6bd
  5. 01 2月, 2017 3 次提交
  6. 11 1月, 2017 1 次提交
  7. 05 12月, 2016 1 次提交
  8. 23 3月, 2016 1 次提交
    • M
      include/qemu/osdep.h: Don't include qapi/error.h · da34e65c
      Markus Armbruster 提交于
      Commit 57cb38b3 included qapi/error.h into qemu/osdep.h to get the
      Error typedef.  Since then, we've moved to include qemu/osdep.h
      everywhere.  Its file comment explains: "To avoid getting into
      possible circular include dependencies, this file should not include
      any other QEMU headers, with the exceptions of config-host.h,
      compiler.h, os-posix.h and os-win32.h, all of which are doing a
      similar job to this file and are under similar constraints."
      qapi/error.h doesn't do a similar job, and it doesn't adhere to
      similar constraints: it includes qapi-types.h.  That's in excess of
      100KiB of crap most .c files don't actually need.
      
      Add the typedef to qemu/typedefs.h, and include that instead of
      qapi/error.h.  Include qapi/error.h in .c files that need it and don't
      get it now.  Include qapi-types.h in qom/object.h for uint16List.
      
      Update scripts/clean-includes accordingly.  Update it further to match
      reality: replace config.h by config-target.h, add sysemu/os-posix.h,
      sysemu/os-win32.h.  Update the list of includes in the qemu/osdep.h
      comment quoted above similarly.
      
      This reduces the number of objects depending on qapi/error.h from "all
      of them" to less than a third.  Unfortunately, the number depending on
      qapi-types.h shrinks only a little.  More work is needed for that one.
      Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
      [Fix compilation without the spice devel packages. - Paolo]
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      da34e65c
  9. 01 3月, 2016 1 次提交
  10. 29 1月, 2016 1 次提交
  11. 19 5月, 2015 1 次提交
  12. 26 2月, 2015 1 次提交
  13. 13 2月, 2015 1 次提交
  14. 16 12月, 2014 2 次提交
  15. 01 12月, 2014 2 次提交
  16. 30 9月, 2014 2 次提交
  17. 11 7月, 2014 2 次提交
  18. 16 6月, 2014 1 次提交
  19. 28 4月, 2014 1 次提交
  20. 05 3月, 2014 1 次提交
  21. 10 2月, 2014 1 次提交
  22. 17 10月, 2013 1 次提交
  23. 29 7月, 2013 1 次提交
  24. 04 7月, 2013 4 次提交
  25. 07 6月, 2013 1 次提交