aboutsummaryrefslogtreecommitdiff
path: root/nbd
diff options
context:
space:
mode:
authorGerd Hoffmann <kraxel@redhat.com>2017-02-09 14:02:20 +0100
committerGerd Hoffmann <kraxel@redhat.com>2017-02-10 16:49:45 +0100
commit95280c31cda79bb1d0968afc7b19a220b3a9d986 (patch)
tree9dce556648d322de8f28bc5f18b0f8ce6962cdb3 /nbd
parentec87f206d708191abdd332fdfd48fc5b36da083c (diff)
downloadqemu-95280c31cda79bb1d0968afc7b19a220b3a9d986.zip
qemu-95280c31cda79bb1d0968afc7b19a220b3a9d986.tar.gz
qemu-95280c31cda79bb1d0968afc7b19a220b3a9d986.tar.bz2
cirrus: fix patterncopy checks
The blit_region_is_unsafe checks don't work correctly for the patterncopy source. It's a fixed-sized region, which doesn't depend on cirrus_blt_{width,height}. So go do the check in cirrus_bitblt_common_patterncopy instead, then tell blit_is_unsafe that it doesn't need to verify the source. Also handle the case where we blit from cirrus_bitbuf correctly. This patch replaces 5858dd1801883309bdd208d72ddb81c4e9fee30c. Security impact: I think for the most part error on the safe side this time, refusing blits which should have been allowed. Only exception is placing the blit source at the end of the video ram, so cirrus_blt_srcaddr + 256 goes beyond the end of video memory. But even in that case I'm not fully sure this actually allows read access to host memory. To trick the commit 5858dd18 security checks one has to pick very small cirrus_blt_{width,height} values, which in turn implies only a fraction of the blit source will actually be used. Cc: Wolfgang Bumiller <w.bumiller@proxmox.com> Cc: Dr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Reviewed-by: Wolfgang Bumiller <w.bumiller@proxmox.com> Reviewed-by: Laurent Vivier <lvivier@redhat.com> Message-id: 1486645341-5010-1-git-send-email-kraxel@redhat.com
Diffstat (limited to 'nbd')
0 files changed, 0 insertions, 0 deletions