diff options
| author | Marc-André Lureau <marcandre.lureau@redhat.com> | 2024-10-08 16:50:13 +0400 |
|---|---|---|
| committer | Marc-André Lureau <marcandre.lureau@redhat.com> | 2024-10-14 17:34:09 +0400 |
| commit | 330ef31deb2e5461cff907488b710f5bd9cd2327 (patch) | |
| tree | f614213dc0627187b5677f90a0dd553309ce09c3 | |
| parent | 244d52ff736fefc3dd364ed091720aa896af306d (diff) | |
| download | qemu-330ef31deb2e5461cff907488b710f5bd9cd2327.zip qemu-330ef31deb2e5461cff907488b710f5bd9cd2327.tar.gz qemu-330ef31deb2e5461cff907488b710f5bd9cd2327.tar.bz2 | |
ui/win32: fix potential use-after-free with dbus shared memory
DisplaySurface may be free before the pixman image is freed, since the
image is refcounted and used by different objects, including pending
dbus messages.
Furthermore, setting the destroy function in
create_displaysurface_from() isn't appropriate, as it may not be used,
and may be overriden as in ramfb.
Set the destroy function when the shared handle is set, use the HANDLE
directly for destroy data, using a single common helper
qemu_pixman_win32_image_destroy().
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Message-ID: <20241008125028.1177932-5-marcandre.lureau@redhat.com>
| -rw-r--r-- | hw/display/virtio-gpu.c | 14 | ||||
| -rw-r--r-- | include/ui/qemu-pixman.h | 2 | ||||
| -rw-r--r-- | ui/console.c | 24 | ||||
| -rw-r--r-- | ui/qemu-pixman.c | 15 |
4 files changed, 21 insertions, 34 deletions
diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c index 3281842..017a0f1 100644 --- a/hw/display/virtio-gpu.c +++ b/hw/display/virtio-gpu.c @@ -238,16 +238,6 @@ static uint32_t calc_image_hostmem(pixman_format_code_t pformat, return height * stride; } -#ifdef WIN32 -static void -win32_pixman_image_destroy(pixman_image_t *image, void *data) -{ - HANDLE handle = data; - - qemu_win32_map_free(pixman_image_get_data(image), handle, &error_warn); -} -#endif - static void virtio_gpu_resource_create_2d(VirtIOGPU *g, struct virtio_gpu_ctrl_command *cmd) { @@ -308,7 +298,7 @@ static void virtio_gpu_resource_create_2d(VirtIOGPU *g, bits, c2d.height ? res->hostmem / c2d.height : 0); #ifdef WIN32 if (res->image) { - pixman_image_set_destroy_function(res->image, win32_pixman_image_destroy, res->handle); + pixman_image_set_destroy_function(res->image, qemu_pixman_win32_image_destroy, res->handle); } #endif } @@ -1327,7 +1317,7 @@ static int virtio_gpu_load(QEMUFile *f, void *opaque, size_t size, return -EINVAL; } #ifdef WIN32 - pixman_image_set_destroy_function(res->image, win32_pixman_image_destroy, res->handle); + pixman_image_set_destroy_function(res->image, qemu_pixman_win32_image_destroy, res->handle); #endif res->addrs = g_new(uint64_t, res->iov_cnt); diff --git a/include/ui/qemu-pixman.h b/include/ui/qemu-pixman.h index ef13a82..e3dd72b 100644 --- a/include/ui/qemu-pixman.h +++ b/include/ui/qemu-pixman.h @@ -97,6 +97,8 @@ void qemu_pixman_glyph_render(pixman_image_t *glyph, void qemu_pixman_image_unref(pixman_image_t *image); +void qemu_pixman_win32_image_destroy(pixman_image_t *image, void *data); + G_DEFINE_AUTOPTR_CLEANUP_FUNC(pixman_image_t, qemu_pixman_image_unref) #endif /* QEMU_PIXMAN_H */ diff --git a/ui/console.c b/ui/console.c index 105a0e2..8f416ff 100644 --- a/ui/console.c +++ b/ui/console.c @@ -461,24 +461,6 @@ void qemu_displaysurface_win32_set_handle(DisplaySurface *surface, surface->handle = h; surface->handle_offset = offset; } - -static void -win32_pixman_image_destroy(pixman_image_t *image, void *data) -{ - DisplaySurface *surface = data; - - if (!surface->handle) { - return; - } - - assert(surface->handle_offset == 0); - - qemu_win32_map_free( - pixman_image_get_data(surface->image), - surface->handle, - &error_warn - ); -} #endif DisplaySurface *qemu_create_displaysurface(int width, int height) @@ -504,6 +486,8 @@ DisplaySurface *qemu_create_displaysurface(int width, int height) #ifdef WIN32 qemu_displaysurface_win32_set_handle(surface, handle, 0); + pixman_image_set_destroy_function(surface->image, + qemu_pixman_win32_image_destroy, handle); #endif return surface; } @@ -519,10 +503,6 @@ DisplaySurface *qemu_create_displaysurface_from(int width, int height, width, height, (void *)data, linesize); assert(surface->image != NULL); -#ifdef WIN32 - pixman_image_set_destroy_function(surface->image, - win32_pixman_image_destroy, surface); -#endif return surface; } diff --git a/ui/qemu-pixman.c b/ui/qemu-pixman.c index 6cada8b..3870e1a 100644 --- a/ui/qemu-pixman.c +++ b/ui/qemu-pixman.c @@ -4,6 +4,7 @@ */ #include "qemu/osdep.h" +#include "qapi/error.h" #include "ui/console.h" #include "standard-headers/drm/drm_fourcc.h" #include "trace.h" @@ -267,3 +268,17 @@ void qemu_pixman_glyph_render(pixman_image_t *glyph, pixman_image_unref(ibg); } #endif /* CONFIG_PIXMAN */ + +#ifdef WIN32 +void +qemu_pixman_win32_image_destroy(pixman_image_t *image, void *data) +{ + HANDLE handle = data; + + qemu_win32_map_free( + pixman_image_get_data(image), + handle, + &error_warn + ); +} +#endif |