| commit | 71798fda8b6ef8df47c7640ba0bc24d7060ad307 | |
| author | Gerd Hoffmann <kraxel@redhat.com> | |
| Mon, 30 May 2016 07:09:20 +0000 (30 09:09 +0200) | ||
| committer | Michael Roth <mdroth@linux.vnet.ibm.com> | |
| Fri, 5 Aug 2016 18:37:40 +0000 (5 13:37 -0500) | ||
| tree | 1668041a8904c476ac098f13d701158810831cb3 | treesnapshot (tar.gz zip) |
| parent | 3141be668fa508f08d76de576c381692bccd99ad | commitdiff |
vmsvga: shadow fifo registers
The fifo is normal ram. So kvm vcpu threads and qemu iothread can
access the fifo in parallel without syncronization. Which in turn
implies we can't use the fifo pointers in-place because the guest
can try changing them underneath us. So add shadows for them, to
make sure the guest can't modify them after we've applied sanity
checks.
Fixes: CVE-2016-4454
Cc: qemu-stable@nongnu.org
Cc: P J P <ppandit@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1464592161-18348-4-git-send-email-kraxel@redhat.com
(cherry picked from commit 7e486f7577764a07aa35588e119903c80a5c30a2)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
The fifo is normal ram. So kvm vcpu threads and qemu iothread can
access the fifo in parallel without syncronization. Which in turn
implies we can't use the fifo pointers in-place because the guest
can try changing them underneath us. So add shadows for them, to
make sure the guest can't modify them after we've applied sanity
checks.
Fixes: CVE-2016-4454
Cc: qemu-stable@nongnu.org
Cc: P J P <ppandit@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1464592161-18348-4-git-send-email-kraxel@redhat.com
(cherry picked from commit 7e486f7577764a07aa35588e119903c80a5c30a2)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
| hw/display/vmware_vga.c | diffblobblamehistory |