debian/patches/extra/0006-vmsvga-shadow-fifo-registers.patch

   1 From a2273296a948a2f6f36d858c18893315030702d6 Mon Sep 17 00:00:00 2001
   2 From: Gerd Hoffmann <kraxel@redhat.com>
   3 Date: Mon, 30 May 2016 09:09:20 +0200
   4 Subject: [PATCH 6/9] vmsvga: shadow fifo registers
   5
   6 The fifo is normal ram.  So kvm vcpu threads and qemu iothread can
   7 access the fifo in parallel without syncronization.  Which in turn
   8 implies we can't use the fifo pointers in-place because the guest
   9 can try changing them underneath us.  So add shadows for them, to
  10 make sure the guest can't modify them after we've applied sanity
  11 checks.
  12
  13 Fixes: CVE-2016-4454
  14 Cc: P J P <ppandit@redhat.com>
  15 Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
  16 ---
  17  hw/display/vmware_vga.c | 57 ++++++++++++++++++++++++-------------------------
  18  1 file changed, 28 insertions(+), 29 deletions(-)
  19
  20 diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
  21 index f2663ee..99e128b 100644
  22 --- a/hw/display/vmware_vga.c
  23 +++ b/hw/display/vmware_vga.c
  24 @@ -64,17 +64,11 @@ struct vmsvga_state_s {
  25      uint8_t *fifo_ptr;
  26      unsigned int fifo_size;
  27
  28 -    union {
  29 -        uint32_t *fifo;
  30 -        struct QEMU_PACKED {
  31 -            uint32_t min;
  32 -            uint32_t max;
  33 -            uint32_t next_cmd;
  34 -            uint32_t stop;
  35 -            /* Add registers here when adding capabilities.  */
  36 -            uint32_t fifo[0];
  37 -        } *cmd;
  38 -    };
  39 +    uint32_t *fifo;
  40 +    uint32_t fifo_min;
  41 +    uint32_t fifo_max;
  42 +    uint32_t fifo_next;
  43 +    uint32_t fifo_stop;
  44
  45  #define REDRAW_FIFO_LEN  512
  46      struct vmsvga_rect_s {
  47 @@ -196,7 +190,7 @@ enum {
  48       */
  49      SVGA_FIFO_MIN = 0,
  50      SVGA_FIFO_MAX,      /* The distance from MIN to MAX must be at least 10K */
  51 -    SVGA_FIFO_NEXT_CMD,
  52 +    SVGA_FIFO_NEXT,
  53      SVGA_FIFO_STOP,
  54
  55      /*
  56 @@ -544,8 +538,6 @@ static inline void vmsvga_cursor_define(struct vmsvga_state_s *s,
  57  }
  58  #endif
  59
  60 -#define CMD(f)  le32_to_cpu(s->cmd->f)
  61 -
  62  static inline int vmsvga_fifo_length(struct vmsvga_state_s *s)
  63  {
  64      int num;
  65 @@ -554,38 +546,44 @@ static inline int vmsvga_fifo_length(struct vmsvga_state_s *s)
  66          return 0;
  67      }
  68
  69 +    s->fifo_min  = le32_to_cpu(s->fifo[SVGA_FIFO_MIN]);
  70 +    s->fifo_max  = le32_to_cpu(s->fifo[SVGA_FIFO_MAX]);
  71 +    s->fifo_next = le32_to_cpu(s->fifo[SVGA_FIFO_NEXT]);
  72 +    s->fifo_stop = le32_to_cpu(s->fifo[SVGA_FIFO_STOP]);
  73 +
  74      /* Check range and alignment.  */
  75 -    if ((CMD(min) | CMD(max) | CMD(next_cmd) | CMD(stop)) & 3) {
  76 +    if ((s->fifo_min | s->fifo_max | s->fifo_next | s->fifo_stop) & 3) {
  77          return 0;
  78      }
  79 -    if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) {
  80 +    if (s->fifo_min < sizeof(uint32_t) * 4) {
  81          return 0;
  82      }
  83 -    if (CMD(max) > SVGA_FIFO_SIZE ||
  84 -        CMD(min) >= SVGA_FIFO_SIZE ||
  85 -        CMD(stop) >= SVGA_FIFO_SIZE ||
  86 -        CMD(next_cmd) >= SVGA_FIFO_SIZE) {
  87 +    if (s->fifo_max > SVGA_FIFO_SIZE ||
  88 +        s->fifo_min >= SVGA_FIFO_SIZE ||
  89 +        s->fifo_stop >= SVGA_FIFO_SIZE ||
  90 +        s->fifo_next >= SVGA_FIFO_SIZE) {
  91          return 0;
  92      }
  93 -    if (CMD(max) < CMD(min) + 10 * 1024) {
  94 +    if (s->fifo_max < s->fifo_min + 10 * 1024) {
  95          return 0;
  96      }
  97
  98 -    num = CMD(next_cmd) - CMD(stop);
  99 +    num = s->fifo_next - s->fifo_stop;
 100      if (num < 0) {
 101 -        num += CMD(max) - CMD(min);
 102 +        num += s->fifo_max - s->fifo_min;
 103      }
 104      return num >> 2;
 105  }
 106
 107  static inline uint32_t vmsvga_fifo_read_raw(struct vmsvga_state_s *s)
 108  {
 109 -    uint32_t cmd = s->fifo[CMD(stop) >> 2];
 110 +    uint32_t cmd = s->fifo[s->fifo_stop >> 2];
 111
 112 -    s->cmd->stop = cpu_to_le32(CMD(stop) + 4);
 113 -    if (CMD(stop) >= CMD(max)) {
 114 -        s->cmd->stop = s->cmd->min;
 115 +    s->fifo_stop += 4;
 116 +    if (s->fifo_stop >= s->fifo_max) {
 117 +        s->fifo_stop = s->fifo_min;
 118      }
 119 +    s->fifo[SVGA_FIFO_STOP] = cpu_to_le32(s->fifo_stop);
 120      return cmd;
 121  }
 122
 123 @@ -605,7 +603,7 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
 124      len = vmsvga_fifo_length(s);
 125      while (len > 0) {
 126          /* May need to go back to the start of the command if incomplete */
 127 -        cmd_start = s->cmd->stop;
 128 +        cmd_start = s->fifo_stop;
 129
 130          switch (cmd = vmsvga_fifo_read(s)) {
 131          case SVGA_CMD_UPDATE:
 132 @@ -764,7 +762,8 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
 133              break;
 134
 135          rewind:
 136 -            s->cmd->stop = cmd_start;
 137 +            s->fifo_stop = cmd_start;
 138 +            s->fifo[SVGA_FIFO_STOP] = cpu_to_le32(s->fifo_stop);
 139              break;
 140          }
 141      }
 142 --
 143 2.1.4
 144