diff options
author | Hou Qiming <hqm03ster@gmail.com> | 2019-05-13 14:57:30 +0300 |
---|---|---|
committer | Gerd Hoffmann <kraxel@redhat.com> | 2019-05-24 09:10:29 +0200 |
commit | a9e0cb67b7f4c485755659f9b764c38b5f970de4 (patch) | |
tree | 5bb64ad145364b05042b78f9c87b0d75f385eee5 | |
parent | d57f252addefa0a66db554038b063fd2331bb269 (diff) | |
download | qemu-a9e0cb67b7f4c485755659f9b764c38b5f970de4.zip qemu-a9e0cb67b7f4c485755659f9b764c38b5f970de4.tar.gz qemu-a9e0cb67b7f4c485755659f9b764c38b5f970de4.tar.bz2 |
hw/display/ramfb: lock guest resolution after it's set
Only allow one resolution change per guest boot, which prevents a
crash when the guest writes garbage to the configuration space (e.g.
when rebooting).
Signed-off-by: HOU Qiming <hqm03ster@gmail.com>
Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
Message-id: 20190513115731.17588-3-marcel.apfelbaum@gmail.com
[fixed malformed patch]
Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-rw-r--r-- | hw/display/ramfb.c | 26 |
1 files changed, 22 insertions, 4 deletions
diff --git a/hw/display/ramfb.c b/hw/display/ramfb.c index 1955b04..0fe79aa 100644 --- a/hw/display/ramfb.c +++ b/hw/display/ramfb.c @@ -30,6 +30,7 @@ struct RAMFBState { DisplaySurface *ds; uint32_t width, height; struct RAMFBCfg cfg; + bool locked; }; static void ramfb_unmap_display_surface(pixman_image_t *image, void *unused) @@ -70,18 +71,25 @@ static DisplaySurface *ramfb_create_display_surface(int width, int height, static void ramfb_fw_cfg_write(void *dev, off_t offset, size_t len) { RAMFBState *s = dev; - uint32_t fourcc, format; + uint32_t fourcc, format, width, height; hwaddr stride, addr; - s->width = be32_to_cpu(s->cfg.width); - s->height = be32_to_cpu(s->cfg.height); + width = be32_to_cpu(s->cfg.width); + height = be32_to_cpu(s->cfg.height); stride = be32_to_cpu(s->cfg.stride); fourcc = be32_to_cpu(s->cfg.fourcc); addr = be64_to_cpu(s->cfg.addr); format = qemu_drm_format_to_pixman(fourcc); fprintf(stderr, "%s: %dx%d @ 0x%" PRIx64 "\n", __func__, - s->width, s->height, addr); + width, height, addr); + if (s->locked) { + fprintf(stderr, "%s: resolution locked, change rejected\n", __func__); + return; + } + s->locked = true; + s->width = width; + s->height = height; s->ds = ramfb_create_display_surface(s->width, s->height, format, stride, addr); } @@ -101,6 +109,13 @@ void ramfb_display_update(QemuConsole *con, RAMFBState *s) dpy_gfx_update_full(con); } +static void ramfb_reset(void *opaque) +{ + RAMFBState *s = (RAMFBState *)opaque; + s->locked = false; + memset(&s->cfg, 0, sizeof(s->cfg)); +} + RAMFBState *ramfb_setup(Error **errp) { FWCfgState *fw_cfg = fw_cfg_find(); @@ -113,9 +128,12 @@ RAMFBState *ramfb_setup(Error **errp) s = g_new0(RAMFBState, 1); + s->locked = false; + rom_add_vga("vgabios-ramfb.bin"); fw_cfg_add_file_callback(fw_cfg, "etc/ramfb", NULL, ramfb_fw_cfg_write, s, &s->cfg, sizeof(s->cfg), false); + qemu_register_reset(ramfb_reset, s); return s; } |