qemu-e2k/hw/display
Prasad J Pandit a98610c429 ati-vga: check mm_index before recursive call (CVE-2020-13800)
While accessing VGA registers via ati_mm_read/write routines,
a guest may set 's->regs.mm_index' such that it leads to infinite
recursion. Check mm_index value to avoid such recursion. Log an
error message for wrong values.

Reported-by: Ren Ding <rding@gatech.edu>
Reported-by: Hanqing Zhao <hanqing@gatech.edu>
Reported-by: Yi Ren <c4tren@gmail.com>
Message-id: 20200604090830.33885-1-ppandit@redhat.com
Suggested-by: BALATON Zoltan <balaton@eik.bme.hu>
Suggested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2020-06-05 09:14:40 +02:00
..
ads7846.c migration: Define VMSTATE_INSTANCE_ID_ANY 2020-01-20 09:10:23 +01:00
artist.c hw/display: Include local 'framebuffer.h' 2020-05-18 15:40:04 +02:00
ati_2d.c ati-vga: Fix checks in ati_2d_blt() to avoid crash 2020-04-07 09:25:23 +02:00
ati_dbg.c ati-vga: Implement dummy VBlank IRQ 2019-08-22 10:04:20 +02:00
ati_int.h ati-vga: Implement dummy VBlank IRQ 2019-08-22 10:04:20 +02:00
ati_regs.h ati-vga: Implement dummy VBlank IRQ 2019-08-22 10:04:20 +02:00
ati.c ati-vga: check mm_index before recursive call (CVE-2020-13800) 2020-06-05 09:14:40 +02:00
bcm2835_fb.c hw/arm/bcm283x: Correct the license text 2020-03-23 17:22:30 +00:00
blizzard.c display/blizzard: use extract16() for fix clang analyzer warning in blizzard_draw_line16_32() 2020-05-04 11:17:27 +02:00
bochs-display.c qom: Drop parameter @errp of object_property_add() & friends 2020-05-15 07:07:58 +02:00
cg3.c hw/display/cg3: Convert debug printf()s to trace events 2020-05-28 11:38:57 +02:00
cirrus_vga_internal.h
cirrus_vga_isa.c qdev: set properties with device_class_set_props() 2020-01-24 20:59:15 +01:00
cirrus_vga_rop2.h
cirrus_vga_rop.h
cirrus_vga.c hw/display/cirrus_vga: Convert debug printf() to trace event 2020-05-28 11:38:57 +02:00
dpcd.c hw/display/dpcd: Convert debug printf()s to trace events 2020-05-28 11:38:57 +02:00
edid-generate.c Arithmetic error in EDID generation fixed 2020-03-02 08:20:30 +01:00
edid-region.c Include exec/memory.h slightly less 2019-08-16 13:31:52 +02:00
exynos4210_fimd.c hw/display/exynos4210_fimd: Use qemu_log_mask(GUEST_ERROR) 2020-05-28 11:38:57 +02:00
framebuffer.c Include hw/hw.h exactly where needed 2019-08-16 13:31:52 +02:00
framebuffer.h
g364fb.c hw/display: Let devices own the MemoryRegion they create 2020-03-17 15:18:48 +01:00
i2c-ddc.c qdev: set properties with device_class_set_props() 2020-01-24 20:59:15 +01:00
jazz_led.c mips: jazz: Renovate coding style 2019-12-16 13:04:46 +01:00
Kconfig hppa: Add emulation of Artist graphics 2020-01-27 10:49:51 -08:00
macfb.c hw/display: Let devices own the MemoryRegion they create 2020-03-17 15:18:48 +01:00
Makefile.objs hw/*/Makefile.objs: Move many .o files to common-objs 2020-02-04 09:00:57 +01:00
milkymist-tmu2.c Let cpu_[physical]_memory() calls pass a boolean 'is_write' argument 2020-02-20 14:47:08 +01:00
milkymist-vgafb_template.h
milkymist-vgafb.c qdev: set properties with device_class_set_props() 2020-01-24 20:59:15 +01:00
next-fb.c hw/display: Include local 'framebuffer.h' 2020-05-18 15:40:04 +02:00
omap_dss.c hw/display/omap_dss: Replace fprintf() call by qemu_log_mask(LOG_UNIMP) 2020-05-28 11:38:57 +02:00
omap_lcd_template.h
omap_lcdc.c Remove unnecessary cast when using the cpu_[physical]_memory API 2020-02-20 14:47:08 +01:00
pl110_template.h
pl110.c Include migration/vmstate.h less 2019-08-16 13:31:52 +02:00
pxa2xx_lcd.c hw/display/pxa2xx_lcd: Replace printf() call by qemu_log_mask() 2020-05-28 11:38:57 +02:00
pxa2xx_template.h
qxl-logger.c
qxl-render.c console: add graphic_hw_update_done() 2020-01-02 13:54:57 +04:00
qxl.c lockable: replaced locks with lock guard macros where appropriate 2020-05-04 16:07:43 +01:00
qxl.h qxl: introduce hardware revision 5 2020-02-13 08:31:40 +01:00
ramfb-standalone.c Revert "hw/display/ramfb: initialize fw-config space with xres/ yres" 2020-05-18 15:42:34 +02:00
ramfb.c ramfb: fix size calculation 2020-05-18 15:43:51 +02:00
sii9022.c Include migration/vmstate.h less 2019-08-16 13:31:52 +02:00
sm501_template.h
sm501.c sm501: Remove obsolete changelog and todo comment 2020-05-28 11:38:57 +02:00
ssd0303.c Include migration/vmstate.h less 2019-08-16 13:31:52 +02:00
ssd0323.c Include migration/vmstate.h less 2019-08-16 13:31:52 +02:00
tc6393xb_template.h
tc6393xb.c Include hw/hw.h exactly where needed 2019-08-16 13:31:52 +02:00
tcx.c hw: Remove unnecessary DEVICE() cast 2020-05-15 07:08:52 +02:00
trace-events hw/display/dpcd: Convert debug printf()s to trace events 2020-05-28 11:38:57 +02:00
vga_int.h vga: cleanup mapping of VRAM for non-PCI VGA 2019-12-18 02:34:13 +01:00
vga_regs.h Clean up header guards that don't match their file name 2019-05-13 08:58:55 +02:00
vga-access.h vga: move access helpers to separate include file 2019-09-19 10:37:46 +02:00
vga-helpers.h vga: move access helpers to separate include file 2019-09-19 10:37:46 +02:00
vga-isa-mm.c vga: cleanup mapping of VRAM for non-PCI VGA 2019-12-18 02:34:13 +01:00
vga-isa.c hw: Remove unnecessary DEVICE() cast 2020-05-15 07:08:52 +02:00
vga-pci.c qom: Drop parameter @errp of object_property_add() & friends 2020-05-15 07:07:58 +02:00
vga.c vga: cleanup mapping of VRAM for non-PCI VGA 2019-12-18 02:34:13 +01:00
vhost-user-gpu-pci.c qom: Drop parameter @errp of object_property_add() & friends 2020-05-15 07:07:58 +02:00
vhost-user-gpu.c qom: Drop parameter @errp of object_property_add() & friends 2020-05-15 07:07:58 +02:00
vhost-user-vga.c qom: Drop parameter @errp of object_property_add() & friends 2020-05-15 07:07:58 +02:00
virtio-gpu-3d.c Include qemu-common.h exactly where needed 2019-06-12 13:20:20 +02:00
virtio-gpu-base.c qdev: Unrealize must not fail 2020-05-15 07:08:14 +02:00
virtio-gpu-pci.c qdev: set properties with device_class_set_props() 2020-01-24 20:59:15 +01:00
virtio-gpu.c qdev: set properties with device_class_set_props() 2020-01-24 20:59:15 +01:00
virtio-vga.c virtio-vga: fix virtio-vga bar ordering 2020-05-04 10:25:02 -04:00
virtio-vga.h Clean up a header guard symbols (again) 2019-06-12 13:20:21 +02:00
vmware_vga.c hw/display/vmware_vga: Let the PCI device own its I/O MemoryRegion 2020-05-28 11:38:57 +02:00
xenfb.c Include hw/hw.h exactly where needed 2019-08-16 13:31:52 +02:00
xlnx_dp.c hw/display/xlnx_dp: Replace disabled DPRINTF() by error_report() 2020-05-28 11:38:57 +02:00