From 3c18025a495a2c105c2c33051ece0f3525d1e0c4 Mon Sep 17 00:00:00 2001

From: Gerd Hoffmann <kraxel@redhat.com>

Date: Thu, 28 Apr 2016 16:07:32 +0200

Subject: [PATCH 27/27] vga: make sure vga register setup for vbe stays intact.

RH-Author: Gerd Hoffmann <kraxel@redhat.com>

Message-id: <1461859652-20918-7-git-send-email-kraxel@redhat.com>

Patchwork-id: 70297

O-Subject: [virt-devel] [RHEL-7.3 qemu-kvm PATCH 6/6] vga: make sure vga register setup for vbe stays intact.

Bugzilla: 1331413

RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>

RH-Acked-by: Laszlo Ersek <lersek@redhat.com>

RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>

Call vbe_update_vgaregs() when the guest touches GFX, SEQ or CRT

registers, to make sure the vga registers will always have the

values needed by vbe mode.  This makes sure the sanity checks

applied by vbe_fixup_regs() are effective.

Without this guests can muck with shift_control, can turn on planar

vga modes or text mode emulation while VBE is active, making qemu

take code paths meant for CGA compatibility, but with the very

large display widths and heigts settable using VBE registers.

Which is good for one or another buffer overflow.  Not that

critical as they typically read overflows happening somewhere

in the display code.  So guests can DoS by crashing qemu with a

segfault, but it is probably not possible to break out of the VM.

Reported-by: Zuozhi Fzz <zuozhi.fzz@alibaba-inc.com>

Reported-by: P J P <ppandit@redhat.com>

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>

---

 hw/display/vga.c | 6 ++++++

 1 file changed, 6 insertions(+)

diff --git a/hw/display/vga.c b/hw/display/vga.c

index ee3c0c0..f049b26 100644

--- a/hw/display/vga.c

+++ b/hw/display/vga.c

@@ -166,6 +166,8 @@ static uint32_t expand4[256];

 static uint16_t expand2[256];

 static uint8_t expand4to8[16];

+static void vbe_update_vgaregs(VGACommonState *s);

+

 static inline bool vbe_enabled(VGACommonState *s)

 {

     return s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED;

@@ -511,6 +513,7 @@ void vga_ioport_write(void *opaque, uint32_t addr, uint32_t val)

         printf("vga: write SR%x = 0x%02x\n", s->sr_index, val);

 #endif

         s->sr[s->sr_index] = val & sr_mask[s->sr_index];

+        vbe_update_vgaregs(s);

         if (s->sr_index == VGA_SEQ_CLOCK_MODE) {

             s->update_retrace_info(s);

         }

@@ -542,6 +545,7 @@ void vga_ioport_write(void *opaque, uint32_t addr, uint32_t val)

         printf("vga: write GR%x = 0x%02x\n", s->gr_index, val);

 #endif

         s->gr[s->gr_index] = val & gr_mask[s->gr_index];

+        vbe_update_vgaregs(s);

         vga_update_memory_access(s);

         break;

     case VGA_CRT_IM:

@@ -560,10 +564,12 @@ void vga_ioport_write(void *opaque, uint32_t addr, uint32_t val)

             if (s->cr_index == VGA_CRTC_OVERFLOW) {

                 s->cr[VGA_CRTC_OVERFLOW] = (s->cr[VGA_CRTC_OVERFLOW] & ~0x10) |

                     (val & 0x10);

+                vbe_update_vgaregs(s);

             }

             return;

         }

         s->cr[s->cr_index] = val;

+        vbe_update_vgaregs(s);

         switch(s->cr_index) {

         case VGA_CRTC_H_TOTAL:

-- 

1.8.3.1