File xsa463-07.patch of Package xen.36400
From: Jan Beulich <jbeulich@suse.com>
Subject: x86/HVM: drop stdvga's "{g,s}r_index" struct members
No consumers are left, hence the producer and the fields themselves can
also go away. stdvga_outb() is then useless, rendering stdvga_out()
useless as well. Hence the entire I/O port intercept can go away.
This is part of XSA-463 / CVE-2024-45818
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
(cherry picked from commit 86c03372e107f5c18266a62281663861b1144929)
--- a/xen/arch/x86/hvm/stdvga.c
+++ b/xen/arch/x86/hvm/stdvga.c
@@ -38,62 +38,6 @@
#define VGA_MEM_BASE 0xa0000
#define VGA_MEM_SIZE 0x20000
-static int stdvga_outb(uint64_t addr, uint8_t val)
-{
- struct hvm_hw_stdvga *s = ¤t->domain->arch.hvm.stdvga;
- int rc = 1;
-
- switch ( addr )
- {
- case 0x3c4: /* sequencer address register */
- s->sr_index = val;
- break;
-
- case 0x3ce: /* graphics address register */
- s->gr_index = val;
- break;
-
- default:
- rc = 0;
- break;
- }
-
- return rc;
-}
-
-static void stdvga_out(uint32_t port, uint32_t bytes, uint32_t val)
-{
- switch ( bytes )
- {
- case 1:
- stdvga_outb(port, val);
- break;
-
- case 2:
- stdvga_outb(port + 0, val >> 0);
- stdvga_outb(port + 1, val >> 8);
- break;
-
- default:
- break;
- }
-}
-
-static int stdvga_intercept_pio(
- int dir, unsigned int port, unsigned int bytes, uint32_t *val)
-{
- struct hvm_hw_stdvga *s = ¤t->domain->arch.hvm.stdvga;
-
- if ( dir == IOREQ_WRITE )
- {
- spin_lock(&s->lock);
- stdvga_out(port, bytes, *val);
- spin_unlock(&s->lock);
- }
-
- return X86EMUL_UNHANDLEABLE; /* propagate to external ioemu */
-}
-
static int stdvga_mem_read(const struct hvm_io_handler *handler,
uint64_t addr, uint32_t size, uint64_t *p_data)
{
@@ -194,11 +138,6 @@ void stdvga_init(struct domain *d)
{
struct hvm_io_handler *handler;
- /* Sequencer registers. */
- register_portio_handler(d, 0x3c4, 2, stdvga_intercept_pio);
- /* Graphics registers. */
- register_portio_handler(d, 0x3ce, 2, stdvga_intercept_pio);
-
/* VGA memory */
handler = hvm_next_io_handler(d);
--- a/xen/include/asm-x86/hvm/io.h
+++ b/xen/include/asm-x86/hvm/io.h
@@ -142,8 +142,6 @@ struct vpci_arch_msix_entry {
};
struct hvm_hw_stdvga {
- uint8_t sr_index;
- uint8_t gr_index;
struct page_info *vram_page[64]; /* shadow of 0xa0000-0xaffff */
spinlock_t lock;
};
