[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen-unstable] ioemu: various fixes to 18394:dade7f0bdc8d

# HG changeset patch
# User Keir Fraser <keir.fraser@xxxxxxxxxx>
# Date 1220968971 -3600
# Node ID 33d907ff2b043c4bff5c265737dab0bb52d6f773
# Parent  4f27d1a23bca64ec644726cbd46567ebfef7951a
ioemu: various fixes to 18394:dade7f0bdc8d

- fix ioemu segv with old firmware
  Without notifying ioemu of address, ioemu will segv.

- fix qemu-dm segv with malicous firmware
  If notifying ioemu more than once, ioemu will segv.

Usually such cases don't happen, but malicious guest can
do it intentionally.

Signed-off-by: Isaku Yamahata <yamahata@xxxxxxxxxxxxx>
---
 tools/ioemu/hw/cirrus_vga.c |    3 +++
 tools/ioemu/hw/vga.c        |    8 +++++++-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff -r 4f27d1a23bca -r 33d907ff2b04 tools/ioemu/hw/cirrus_vga.c
--- a/tools/ioemu/hw/cirrus_vga.c       Tue Sep 09 15:02:32 2008 +0100
+++ b/tools/ioemu/hw/cirrus_vga.c       Tue Sep 09 15:02:51 2008 +0100
@@ -2554,6 +2554,9 @@ static void set_vram_mapping(CirrusVGASt
 
     fprintf(logfile,"mapping vram to %lx - %lx\n", begin, end);
 
+    if (!s->vram_mfns)
+        return;
+
     xatp.domid = domid;
     xatp.space = XENMAPSPACE_mfn;
 
diff -r 4f27d1a23bca -r 33d907ff2b04 tools/ioemu/hw/vga.c
--- a/tools/ioemu/hw/vga.c      Tue Sep 09 15:02:32 2008 +0100
+++ b/tools/ioemu/hw/vga.c      Tue Sep 09 15:02:51 2008 +0100
@@ -2080,7 +2080,13 @@ void xen_vga_vram_map(uint64_t vram_addr
 
     if (copy)
         memcpy(vram, xen_vga_state->vram_ptr, VGA_RAM_SIZE);
-    qemu_free(xen_vga_state->vram_ptr);
+    if (xen_vga_state->vram_mfns) {
+        /* In case this function is called more than once */
+        free(xen_vga_state->vram_mfns);
+        munmap(xen_vga_state->vram_ptr, VGA_RAM_SIZE);
+    } else {
+        qemu_free(xen_vga_state->vram_ptr);
+    }
     xen_vga_state->vram_ptr = vram;
     xen_vga_state->vram_mfns = pfn_list;
 #ifdef CONFIG_STUBDOM

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.