qemu-e2k/hw
Gerd Hoffmann 3d90c62548 vga: stop passing pointers to vga_draw_line* functions
Instead pass around the address (aka offset into vga memory).
Add vga_read_* helper functions which apply vbe_size_mask to
the address, to make sure the address stays within the valid
range, similar to the cirrus blitter fixes (commits ffaf857778
and 026aeffcb4).

Impact:  DoS for privileged guest users.  qemu crashes with
a segfault, when hitting the guard page after vga memory
allocation, while reading vga memory for display updates.

Fixes: CVE-2017-13672
Cc: P J P <ppandit@redhat.com>
Reported-by: David Buchanan <d@vidbuchanan.co.uk>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 20170828122906.18993-1-kraxel@redhat.com
2017-09-01 13:52:43 +02:00
..
9pfs 9pfs: fix dependencies 2017-08-30 18:23:25 +02:00
acpi docs: fix broken paths to docs/devel/tracing.txt 2017-07-31 13:12:53 +03:00
adc
alpha docs: fix broken paths to docs/devel/tracing.txt 2017-07-31 13:12:53 +03:00
arm hw/arm/virt: Add 2.10 machine type 2017-08-07 14:16:31 +01:00
audio pcspk: use QEMU_ALIGN_DOWN 2017-08-31 12:29:07 +02:00
block nvme: Fix get/set number of queues feature, again 2017-08-29 16:54:40 +01:00
bt bt: stop the sdp memory allocation craziness 2017-08-01 17:27:33 +02:00
char virtio-serial: use DIV_ROUND_UP 2017-08-31 12:29:07 +02:00
core loader: check get_image_size() return value 2017-07-31 13:06:38 +03:00
cpu cpu: don't allow negative core id 2017-08-02 18:30:13 -03:00
cris
display vga: stop passing pointers to vga_draw_line* functions 2017-09-01 13:52:43 +02:00
dma trace-events: fix code style: print 0x before hex numbers 2017-08-01 12:13:07 +01:00
gpio
i2c
i386 i386: replace g_malloc()+memcpy() with g_memdup() 2017-08-31 12:29:07 +02:00
ide IDE: Do not flush empty CDROM drives 2017-08-10 14:33:43 +01:00
input trace-events: fix code style: print 0x before hex numbers 2017-08-01 12:13:07 +01:00
intc s390x/kvm: move KVM declarations and stubs to separate files 2017-08-30 18:23:26 +02:00
ipack
ipmi
isa trace-events: fix code style: print 0x before hex numbers 2017-08-01 12:13:07 +01:00
lm32
m68k
mem hw/ppc/spapr: Fix segfault when instantiating a 'pc-dimm' without 'memdev' 2017-08-22 21:26:46 +10:00
microblaze
mips mips: Add KVM T&E segment support for TCG 2017-08-02 22:18:06 +01:00
misc mmio-interface: Mark as not user creatable 2017-08-15 17:42:02 +01:00
moxie
net eepro100: replace g_malloc()+memcpy() with g_memdup() 2017-08-31 12:29:07 +02:00
nios2
nvram trace-events: fix code style: print 0x before hex numbers 2017-08-01 12:13:07 +01:00
openrisc
pci -----BEGIN PGP SIGNATURE----- 2017-08-31 15:52:43 +01:00
pci-bridge
pci-host q35: use DIV_ROUND_UP 2017-08-31 12:29:07 +02:00
pcmcia
ppc hw/ppc/spapr_iommu: Fix crash when removing the "spapr-tce-table" device 2017-08-22 21:26:46 +10:00
s390x s390x/pci: fixup trap_msix() 2017-08-30 18:23:26 +02:00
scsi scsi: clarify sense codes for LUN0 emulation 2017-08-08 10:40:20 +02:00
sd trace-events: fix code style: print 0x before hex numbers 2017-08-01 12:13:07 +01:00
sh4
smbios
sparc docs: fix broken paths to docs/devel/tracing.txt 2017-07-31 13:12:53 +03:00
sparc64
ssi xlnx-qspi: add a property for mmio-execution 2017-08-14 14:17:18 +01:00
timer i8254: use QEMU_ALIGN_DOWN 2017-08-31 12:29:07 +02:00
tpm
tricore
unicore32 fix qemu-system-unicore32 crashing when calling without -kernel 2017-07-31 13:05:49 +03:00
usb usb-hub: use DIV_ROUND_UP 2017-08-31 12:29:07 +02:00
vfio trace-events: fix code style: print 0x before hex numbers 2017-08-01 12:13:07 +01:00
virtio vhost: use QEMU_ALIGN_DOWN 2017-08-31 12:29:07 +02:00
watchdog watchdog/wdt_diag288: Mark diag288 watchdog as non-hotpluggable 2017-08-30 18:23:25 +02:00
xen trace-events: fix code style: %# -> 0x% 2017-08-01 12:13:07 +01:00
xenpv
xtensa
Makefile.objs 9pfs: fix dependencies 2017-08-30 18:23:25 +02:00