vga: stop passing pointers to vga_draw_line* functions

Instead pass around the address (aka offset into vga memory). Add vga_read_* helper functions which apply vbe_size_mask to the address, to make sure the address stays within the valid range, similar to the cirrus blitter fixes (commits ffaf857778 and 026aeffcb4). Impact: DoS for privileged guest users. qemu crashes with a segfault, when hitting the guard page after vga memory allocation, while reading vga memory for display updates. Fixes: CVE-2017-13672 Cc: P J P <ppandit@redhat.com> Reported-by: David Buchanan <d@vidbuchanan.co.uk> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Message-id: 20170828122906.18993-1-kraxel@redhat.com
2025-08-05 08:43:55 -06:00 · 2017-08-28 14:29:06 +02:00 · 2017-08-28 14:29:06 +02:00 · 3d90c62548
commit 3d90c62548
parent e65294157d
3 changed files with 114 additions and 94 deletions
--- a/hw/display/vga_int.h
+++ b/hw/display/vga_int.h
@ -94,6 +94,7 @@ typedef struct VGACommonState {
    uint32_t vram_size;
    uint32_t vram_size_mb; /* property */
    uint32_t vbe_size;
+    uint32_t vbe_size_mask;
    uint32_t latch;
    bool has_chain4_alias;
    MemoryRegion chain4_alias;