File 0200-sm501-Set-updated-region-dirty-afte.patch of Package qemu.19805
From: BALATON Zoltan <balaton@eik.bme.hu>
Date: Wed, 4 Jul 2018 11:40:58 +0200
Subject: sm501: Set updated region dirty after 2D operation
Git-commit: eb76243c9da613d0abc27eb38a0d47b82f7ca00b
References: bsc#1172385, CVE-2020-12829
Set the changed memory region dirty after performed a 2D operation to
ensure that the screen is updated properly.
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/display/sm501.c | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
diff --git a/hw/display/sm501.c b/hw/display/sm501.c
index e4da6f0bfaa8837020fc0d6439a1..acce7c3dc2823220b82c07cf8882 100644
--- a/hw/display/sm501.c
+++ b/hw/display/sm501.c
@@ -697,12 +697,16 @@ static void sm501_2d_operation(SM501State *s)
/* 1 if rop2 source is the pattern, otherwise the source is the bitmap */
int rop2_source_is_pattern = (s->twoD_control >> 14) & 0x1;
int rop = s->twoD_control & 0xFF;
+ uint32_t src_base = s->twoD_source_base & 0x03FFFFFF;
+ uint32_t dst_base = s->twoD_destination_base & 0x03FFFFFF;
/* get frame buffer info */
- uint8_t *src = s->local_mem + (s->twoD_source_base & 0x03FFFFFF);
- uint8_t *dst = s->local_mem + (s->twoD_destination_base & 0x03FFFFFF);
+ uint8_t *src = s->local_mem + src_base;
+ uint8_t *dst = s->local_mem + dst_base;
int src_width = s->twoD_pitch & 0x1FFF;
int dst_width = (s->twoD_pitch >> 16) & 0x1FFF;
+ int crt = (s->dc_crt_control & SM501_DC_CRT_CONTROL_SEL) ? 1 : 0;
+ int fb_len = get_width(s, crt) * get_height(s, crt) * get_bpp(s, crt);
if (addressing != 0x0) {
printf("%s: only XY addressing is supported.\n", __func__);
@@ -803,6 +807,15 @@ static void sm501_2d_operation(SM501State *s)
abort();
break;
}
+
+ if (dst_base >= get_fb_addr(s, crt) &&
+ dst_base <= get_fb_addr(s, crt) + fb_len) {
+ int dst_len = MIN(fb_len, ((dst_y + operation_height - 1) * dst_width +
+ dst_x + operation_width) * (1 << format_flags));
+ if (dst_len) {
+ memory_region_set_dirty(&s->local_mem_region, dst_base, dst_len);
+ }
+ }
}
static uint64_t sm501_system_config_read(void *opaque, hwaddr addr,