File 0434-vga-stop-passing-pointers-to-vga_dr.patch of Package qemu.6354

From 1368d9ac36de0f220ee6c71aed3ae20ca6b7b0a5 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Mon, 28 Aug 2017 14:29:06 +0200
Subject: [PATCH] vga: stop passing pointers to vga_draw_line* functions

Instead pass around the address (aka offset into vga memory).
Add vga_read_* helper functions which apply vbe_size_mask to
the address, to make sure the address stays within the valid
range, similar to the cirrus blitter fixes (commits ffaf857778
and 026aeffcb4).

Impact:  DoS for privileged guest users.  qemu crashes with
a segfault, when hitting the guard page after vga memory
allocation, while reading vga memory for display updates.

Fixes: CVE-2017-13672
Cc: P J P <ppandit@redhat.com>
Reported-by: David Buchanan <d@vidbuchanan.co.uk>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 20170828122906.18993-1-kraxel@redhat.com
(cherry picked from commit 3d90c6254863693a6b13d918d2b8682e08bbc681)
[FL: BSC#1056334 CVE-2017-13672, add macro to fix multiple #include]
Signed-off-by: Fei Li <fli@suse.com>
---
 hw/display/vga.c          |   5 +-
 hw/display/vga_int.h      |   1 +
 hw/display/vga_template.h | 182 +++++++++++++++++++++++++++-------------------
 3 files changed, 111 insertions(+), 77 deletions(-)

diff --git a/hw/display/vga.c b/hw/display/vga.c
index 5323ff7ea5..42335e1d20 100644
--- a/hw/display/vga.c
+++ b/hw/display/vga.c
@@ -1051,7 +1051,7 @@ typedef void vga_draw_glyph9_func(uint8_t *d, int linesize,
                                   const uint8_t *font_ptr, int h,
                                   uint32_t fgcol, uint32_t bgcol, int dup9);
 typedef void vga_draw_line_func(VGACommonState *s1, uint8_t *d,
-                                const uint8_t *s, int width);
+                                uint32_t srcaddr, int width);
 
 #ifdef TARGET_WORDS_BIGENDIAN
 static bool vga_is_be = true;
@@ -1988,7 +1988,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
             if (page1 > page_max)
                 page_max = page1;
             if (!(is_buffer_shared(surface))) {
-                vga_draw_line(s, d, s->vram_ptr + addr, width);
+                vga_draw_line(s, d, addr, width);
                 if (s->cursor_draw_line)
                     s->cursor_draw_line(s, d, y);
             }
@@ -2469,6 +2469,7 @@ void vga_common_init(VGACommonState *s, Object *obj)
     if (!s->vbe_size) {
         s->vbe_size = s->vram_size;
     }
+    s->vbe_size_mask = s->vbe_size - 1;
 
     s->is_vbe_vmstate = 1;
     memory_region_init_ram(&s->vram, obj, "vga.vram", s->vram_size);
diff --git a/hw/display/vga_int.h b/hw/display/vga_int.h
index dd2d851a12..37846697c7 100644
--- a/hw/display/vga_int.h
+++ b/hw/display/vga_int.h
@@ -94,6 +94,7 @@ typedef struct VGACommonState {
     uint32_t vram_size;
     uint32_t vram_size_mb; /* property */
     uint32_t vbe_size;
+    uint32_t vbe_size_mask;
     uint32_t latch;
     MemoryRegion *chain4_alias;
     uint8_t sr_index;
diff --git a/hw/display/vga_template.h b/hw/display/vga_template.h
index f8ea15fc6a..58424f452f 100644
--- a/hw/display/vga_template.h
+++ b/hw/display/vga_template.h
@@ -164,20 +164,49 @@ static void glue(vga_draw_glyph9_, DEPTH)(uint8_t *d, int linesize,
     } while (--h);
 }
 
+#ifndef VGA_READ_FUNCTION
+#define VGA_READ_FUNCTION 1
+static inline uint8_t vga_read_byte(VGACommonState *vga, uint32_t addr)
+{
+    return vga->vram_ptr[addr & vga->vbe_size_mask];
+}
+
+static inline uint16_t vga_read_word_le(VGACommonState *vga, uint32_t addr)
+{
+    uint32_t offset = addr & vga->vbe_size_mask & ~1;
+    uint16_t *ptr = (uint16_t *)(vga->vram_ptr + offset);
+    return lduw_le_p(ptr);
+}
+
+static inline uint16_t vga_read_word_be(VGACommonState *vga, uint32_t addr)
+{
+    uint32_t offset = addr & vga->vbe_size_mask & ~1;
+    uint16_t *ptr = (uint16_t *)(vga->vram_ptr + offset);
+    return lduw_be_p(ptr);
+}
+
+static inline uint32_t vga_read_dword_le(VGACommonState *vga, uint32_t addr)
+{
+    uint32_t offset = addr & vga->vbe_size_mask & ~3;
+    uint32_t *ptr = (uint32_t *)(vga->vram_ptr + offset);
+    return ldl_le_p(ptr);
+}
+#endif
+
 /*
  * 4 color mode
  */
-static void glue(vga_draw_line2_, DEPTH)(VGACommonState *s1, uint8_t *d,
-                                         const uint8_t *s, int width)
+static void glue(vga_draw_line2_, DEPTH)(VGACommonState *vga, uint8_t *d,
+                                         uint32_t addr, int width)
 {
     uint32_t plane_mask, *palette, data, v;
     int x;
 
-    palette = s1->last_palette;
-    plane_mask = mask16[s1->ar[VGA_ATC_PLANE_ENABLE] & 0xf];
+    palette = vga->last_palette;
+    plane_mask = mask16[vga->ar[VGA_ATC_PLANE_ENABLE] & 0xf];
     width >>= 3;
     for(x = 0; x < width; x++) {
-        data = ((uint32_t *)s)[0];
+        data = vga_read_dword_le(vga, addr);
         data &= plane_mask;
         v = expand2[GET_PLANE(data, 0)];
         v |= expand2[GET_PLANE(data, 2)] << 2;
@@ -193,7 +222,7 @@ static void glue(vga_draw_line2_, DEPTH)(VGACommonState *s1, uint8_t *d,
         ((PIXEL_TYPE *)d)[6] = palette[(v >> 4) & 0xf];
         ((PIXEL_TYPE *)d)[7] = palette[(v >> 0) & 0xf];
         d += BPP * 8;
-        s += 4;
+        addr += 4;
     }
 }
 
@@ -209,17 +238,17 @@ static void glue(vga_draw_line2_, DEPTH)(VGACommonState *s1, uint8_t *d,
 /*
  * 4 color mode, dup2 horizontal
  */
-static void glue(vga_draw_line2d2_, DEPTH)(VGACommonState *s1, uint8_t *d,
-                                           const uint8_t *s, int width)
+static void glue(vga_draw_line2d2_, DEPTH)(VGACommonState *vga, uint8_t *d,
+                                           uint32_t addr, int width)
 {
     uint32_t plane_mask, *palette, data, v;
     int x;
 
-    palette = s1->last_palette;
-    plane_mask = mask16[s1->ar[VGA_ATC_PLANE_ENABLE] & 0xf];
+    palette = vga->last_palette;
+    plane_mask = mask16[vga->ar[VGA_ATC_PLANE_ENABLE] & 0xf];
     width >>= 3;
     for(x = 0; x < width; x++) {
-        data = ((uint32_t *)s)[0];
+        data = vga_read_dword_le(vga, addr);
         data &= plane_mask;
         v = expand2[GET_PLANE(data, 0)];
         v |= expand2[GET_PLANE(data, 2)] << 2;
@@ -235,24 +264,24 @@ static void glue(vga_draw_line2d2_, DEPTH)(VGACommonState *s1, uint8_t *d,
         PUT_PIXEL2(d, 6, palette[(v >> 4) & 0xf]);
         PUT_PIXEL2(d, 7, palette[(v >> 0) & 0xf]);
         d += BPP * 16;
-        s += 4;
+        addr += 4;
     }
 }
 
 /*
  * 16 color mode
  */
-static void glue(vga_draw_line4_, DEPTH)(VGACommonState *s1, uint8_t *d,
-                                         const uint8_t *s, int width)
+static void glue(vga_draw_line4_, DEPTH)(VGACommonState *vga, uint8_t *d,
+                                         uint32_t addr, int width)
 {
     uint32_t plane_mask, data, v, *palette;
     int x;
 
-    palette = s1->last_palette;
-    plane_mask = mask16[s1->ar[VGA_ATC_PLANE_ENABLE] & 0xf];
+    palette = vga->last_palette;
+    plane_mask = mask16[vga->ar[VGA_ATC_PLANE_ENABLE] & 0xf];
     width >>= 3;
     for(x = 0; x < width; x++) {
-        data = ((uint32_t *)s)[0];
+        data = vga_read_dword_le(vga, addr);
         data &= plane_mask;
         v = expand4[GET_PLANE(data, 0)];
         v |= expand4[GET_PLANE(data, 1)] << 1;
@@ -267,24 +296,24 @@ static void glue(vga_draw_line4_, DEPTH)(VGACommonState *s1, uint8_t *d,
         ((PIXEL_TYPE *)d)[6] = palette[(v >> 4) & 0xf];
         ((PIXEL_TYPE *)d)[7] = palette[(v >> 0) & 0xf];
         d += BPP * 8;
-        s += 4;
+        addr += 4;
     }
 }
 
 /*
  * 16 color mode, dup2 horizontal
  */
-static void glue(vga_draw_line4d2_, DEPTH)(VGACommonState *s1, uint8_t *d,
-                                           const uint8_t *s, int width)
+static void glue(vga_draw_line4d2_, DEPTH)(VGACommonState *vga, uint8_t *d,
+                                           uint32_t addr, int width)
 {
     uint32_t plane_mask, data, v, *palette;
     int x;
 
-    palette = s1->last_palette;
-    plane_mask = mask16[s1->ar[VGA_ATC_PLANE_ENABLE] & 0xf];
+    palette = vga->last_palette;
+    plane_mask = mask16[vga->ar[VGA_ATC_PLANE_ENABLE] & 0xf];
     width >>= 3;
     for(x = 0; x < width; x++) {
-        data = ((uint32_t *)s)[0];
+        data = vga_read_dword_le(vga, addr);
         data &= plane_mask;
         v = expand4[GET_PLANE(data, 0)];
         v |= expand4[GET_PLANE(data, 1)] << 1;
@@ -299,7 +328,7 @@ static void glue(vga_draw_line4d2_, DEPTH)(VGACommonState *s1, uint8_t *d,
         PUT_PIXEL2(d, 6, palette[(v >> 4) & 0xf]);
         PUT_PIXEL2(d, 7, palette[(v >> 0) & 0xf]);
         d += BPP * 16;
-        s += 4;
+        addr += 4;
     }
 }
 
@@ -308,21 +337,21 @@ static void glue(vga_draw_line4d2_, DEPTH)(VGACommonState *s1, uint8_t *d,
  *
  * XXX: add plane_mask support (never used in standard VGA modes)
  */
-static void glue(vga_draw_line8d2_, DEPTH)(VGACommonState *s1, uint8_t *d,
-                                           const uint8_t *s, int width)
+static void glue(vga_draw_line8d2_, DEPTH)(VGACommonState *vga, uint8_t *d,
+                                           uint32_t addr, int width)
 {
     uint32_t *palette;
     int x;
 
-    palette = s1->last_palette;
+    palette = vga->last_palette;
     width >>= 3;
     for(x = 0; x < width; x++) {
-        PUT_PIXEL2(d, 0, palette[s[0]]);
-        PUT_PIXEL2(d, 1, palette[s[1]]);
-        PUT_PIXEL2(d, 2, palette[s[2]]);
-        PUT_PIXEL2(d, 3, palette[s[3]]);
+        PUT_PIXEL2(d, 0, palette[vga_read_byte(vga, addr + 0)]);
+        PUT_PIXEL2(d, 1, palette[vga_read_byte(vga, addr + 1)]);
+        PUT_PIXEL2(d, 2, palette[vga_read_byte(vga, addr + 2)]);
+        PUT_PIXEL2(d, 3, palette[vga_read_byte(vga, addr + 3)]);
         d += BPP * 8;
-        s += 4;
+        addr += 4;
     }
 }
 
@@ -331,25 +360,25 @@ static void glue(vga_draw_line8d2_, DEPTH)(VGACommonState *s1, uint8_t *d,
  *
  * XXX: add plane_mask support (never used in standard VGA modes)
  */
-static void glue(vga_draw_line8_, DEPTH)(VGACommonState *s1, uint8_t *d,
-                                         const uint8_t *s, int width)
+static void glue(vga_draw_line8_, DEPTH)(VGACommonState *vga, uint8_t *d,
+                                         uint32_t addr, int width)
 {
     uint32_t *palette;
     int x;
 
-    palette = s1->last_palette;
+    palette = vga->last_palette;
     width >>= 3;
     for(x = 0; x < width; x++) {
-        ((PIXEL_TYPE *)d)[0] = palette[s[0]];
-        ((PIXEL_TYPE *)d)[1] = palette[s[1]];
-        ((PIXEL_TYPE *)d)[2] = palette[s[2]];
-        ((PIXEL_TYPE *)d)[3] = palette[s[3]];
-        ((PIXEL_TYPE *)d)[4] = palette[s[4]];
-        ((PIXEL_TYPE *)d)[5] = palette[s[5]];
-        ((PIXEL_TYPE *)d)[6] = palette[s[6]];
-        ((PIXEL_TYPE *)d)[7] = palette[s[7]];
+        ((PIXEL_TYPE *)d)[0] = palette[vga_read_byte(vga, addr + 0)];
+        ((PIXEL_TYPE *)d)[1] = palette[vga_read_byte(vga, addr + 1)];
+        ((PIXEL_TYPE *)d)[2] = palette[vga_read_byte(vga, addr + 2)];
+        ((PIXEL_TYPE *)d)[3] = palette[vga_read_byte(vga, addr + 3)];
+        ((PIXEL_TYPE *)d)[4] = palette[vga_read_byte(vga, addr + 4)];
+        ((PIXEL_TYPE *)d)[5] = palette[vga_read_byte(vga, addr + 5)];
+        ((PIXEL_TYPE *)d)[6] = palette[vga_read_byte(vga, addr + 6)];
+        ((PIXEL_TYPE *)d)[7] = palette[vga_read_byte(vga, addr + 7)];
         d += BPP * 8;
-        s += 8;
+        addr += 8;
     }
 }
 
@@ -361,11 +390,12 @@ static void glue(vga_draw_line8_, DEPTH)(VGACommonState *s1, uint8_t *d,
 /*
  * 15 bit color
  */
-static void glue(vga_draw_line15_, PIXEL_FNAME)(VGACommonState *s1, uint8_t *d,
-                                          const uint8_t *s, int width)
+static void glue(vga_draw_line15_, PIXEL_FNAME)(VGACommonState *vga, uint8_t *d,
+                                                uint32_t addr, int width)
 {
 #if DEPTH == 15 && PIX_BE == defined(HOST_WORDS_BIGENDIAN)
-    memcpy(d, s, width * 2);
+    uint32_t offset = addr & vga->vbe_size_mask & ~1;
+    memcpy(d, (uint8_t *)(vga->vram_ptr + offset), width * 2);
 #else
     int w;
     uint32_t v, r, g, b;
@@ -373,15 +403,15 @@ static void glue(vga_draw_line15_, PIXEL_FNAME)(VGACommonState *s1, uint8_t *d,
     w = width;
     do {
 #if PIX_BE
-        v = lduw_be_p((void *)s);
+        v = vga_read_word_be(vga, addr);
 #else
-        v = lduw_le_p((void *)s);
+        v = vga_read_word_le(vga, addr);
 #endif
         r = (v >> 7) & 0xf8;
         g = (v >> 2) & 0xf8;
         b = (v << 3) & 0xf8;
         ((PIXEL_TYPE *)d)[0] = glue(rgb_to_pixel, PIXEL_NAME)(r, g, b);
-        s += 2;
+        addr += 2;
         d += BPP;
     } while (--w != 0);
 #endif
@@ -390,11 +420,12 @@ static void glue(vga_draw_line15_, PIXEL_FNAME)(VGACommonState *s1, uint8_t *d,
 /*
  * 16 bit color
  */
-static void glue(vga_draw_line16_, PIXEL_FNAME)(VGACommonState *s1, uint8_t *d,
-                                          const uint8_t *s, int width)
+static void glue(vga_draw_line16_, PIXEL_FNAME)(VGACommonState *vga, uint8_t *d,
+                                                uint32_t addr, int width)
 {
 #if DEPTH == 16 && PIX_BE == defined(HOST_WORDS_BIGENDIAN)
-    memcpy(d, s, width * 2);
+    uint32_t offset = addr & vga->vbe_size_mask & ~1;
+    memcpy(d, (uint8_t *)(vga->vram_ptr + offset), width * 2);
 #else
     int w;
     uint32_t v, r, g, b;
@@ -402,15 +433,15 @@ static void glue(vga_draw_line16_, PIXEL_FNAME)(VGACommonState *s1, uint8_t *d,
     w = width;
     do {
 #if PIX_BE
-        v = lduw_be_p((void *)s);
+        v = vga_read_word_be(vga, addr);
 #else
-        v = lduw_le_p((void *)s);
+        v = vga_read_word_le(vga, addr);
 #endif
         r = (v >> 8) & 0xf8;
         g = (v >> 3) & 0xfc;
         b = (v << 3) & 0xf8;
         ((PIXEL_TYPE *)d)[0] = glue(rgb_to_pixel, PIXEL_NAME)(r, g, b);
-        s += 2;
+        addr += 2;
         d += BPP;
     } while (--w != 0);
 #endif
@@ -419,8 +450,8 @@ static void glue(vga_draw_line16_, PIXEL_FNAME)(VGACommonState *s1, uint8_t *d,
 /*
  * 24 bit color
  */
-static void glue(vga_draw_line24_, PIXEL_FNAME)(VGACommonState *s1, uint8_t *d,
-                                          const uint8_t *s, int width)
+static void glue(vga_draw_line24_, PIXEL_FNAME)(VGACommonState *vga, uint8_t *d,
+                                                uint32_t addr, int width)
 {
     int w;
     uint32_t r, g, b;
@@ -428,16 +459,16 @@ static void glue(vga_draw_line24_, PIXEL_FNAME)(VGACommonState *s1, uint8_t *d,
     w = width;
     do {
 #if PIX_BE
-        r = s[0];
-        g = s[1];
-        b = s[2];
+        r = vga_read_byte(vga, addr + 0);
+        g = vga_read_byte(vga, addr + 1);
+        b = vga_read_byte(vga, addr + 2);
 #else
-        b = s[0];
-        g = s[1];
-        r = s[2];
+        b = vga_read_byte(vga, addr + 0);
+        g = vga_read_byte(vga, addr + 1);
+        r = vga_read_byte(vga, addr + 2);
 #endif
         ((PIXEL_TYPE *)d)[0] = glue(rgb_to_pixel, PIXEL_NAME)(r, g, b);
-        s += 3;
+        addr += 3;
         d += BPP;
     } while (--w != 0);
 }
@@ -445,11 +476,12 @@ static void glue(vga_draw_line24_, PIXEL_FNAME)(VGACommonState *s1, uint8_t *d,
 /*
  * 32 bit color
  */
-static void glue(vga_draw_line32_, PIXEL_FNAME)(VGACommonState *s1, uint8_t *d,
-                                          const uint8_t *s, int width)
+static void glue(vga_draw_line32_, PIXEL_FNAME)(VGACommonState *vga, uint8_t *d,
+                                                uint32_t addr, int width)
 {
 #if DEPTH == 32 && !BGR_FORMAT && PIX_BE == defined(HOST_WORDS_BIGENDIAN)
-    memcpy(d, s, width * 4);
+    uint32_t offset = addr & vga->vbe_size_mask & ~3;
+    memcpy(d, (uint8_t *)(vga->vram_ptr + offset), width * 4);
 #else
     int w;
     uint32_t r, g, b;
@@ -457,16 +489,16 @@ static void glue(vga_draw_line32_, PIXEL_FNAME)(VGACommonState *s1, uint8_t *d,
     w = width;
     do {
 #if PIX_BE
-        r = s[1];
-        g = s[2];
-        b = s[3];
+        r = vga_read_byte(vga, addr + 1);
+        g = vga_read_byte(vga, addr + 2);
+        b = vga_read_byte(vga, addr + 3);
 #else
-        b = s[0];
-        g = s[1];
-        r = s[2];
+        b = vga_read_byte(vga, addr + 0);
+        g = vga_read_byte(vga, addr + 1);
+        r = vga_read_byte(vga, addr + 2);
 #endif
         ((PIXEL_TYPE *)d)[0] = glue(rgb_to_pixel, PIXEL_NAME)(r, g, b);
-        s += 4;
+        addr += 4;
         d += BPP;
     } while (--w != 0);
 #endif
openSUSE Build Service is sponsored by