[1/2] qxl: map rom r/o
diff mbox series

Message ID 20200225055920.17261-2-kraxel@redhat.com
State New
Headers show
Series
  • qxl: map rom r/o, remove shadow.
Related show

Commit Message

Gerd Hoffmann Feb. 25, 2020, 5:59 a.m. UTC
Map qxl rom read-only into the guest, so the guest can't tamper with the
content.  qxl has a shadow copy of the rom to deal with that, but the
shadow doesn't cover the mode list.  A privilidged user in the guest can
manipulate the mode list and that to trick qemu into oob reads, leading
to a DoS via segfault if that read access happens to hit unmapped memory.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 hw/display/qxl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Philippe Mathieu-Daudé Feb. 25, 2020, 9:07 a.m. UTC | #1
On 2/25/20 6:59 AM, Gerd Hoffmann wrote:
> Map qxl rom read-only into the guest, so the guest can't tamper with the
> content.  qxl has a shadow copy of the rom to deal with that, but the
> shadow doesn't cover the mode list.  A privilidged user in the guest can
> manipulate the mode list and that to trick qemu into oob reads, leading
> to a DoS via segfault if that read access happens to hit unmapped memory.
> 
> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> ---
>   hw/display/qxl.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/hw/display/qxl.c b/hw/display/qxl.c
> index 21a43a1d5ec2..227da69a50d9 100644
> --- a/hw/display/qxl.c
> +++ b/hw/display/qxl.c
> @@ -2136,7 +2136,7 @@ static void qxl_realize_common(PCIQXLDevice *qxl, Error **errp)
>       pci_set_byte(&config[PCI_INTERRUPT_PIN], 1);
>   
>       qxl->rom_size = qxl_rom_size();
> -    memory_region_init_ram(&qxl->rom_bar, OBJECT(qxl), "qxl.vrom",
> +    memory_region_init_rom(&qxl->rom_bar, OBJECT(qxl), "qxl.vrom",
>                              qxl->rom_size, &error_fatal);
>       init_qxl_rom(qxl);
>       init_qxl_ram(qxl);
> 

Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>

Patch
diff mbox series

diff --git a/hw/display/qxl.c b/hw/display/qxl.c
index 21a43a1d5ec2..227da69a50d9 100644
--- a/hw/display/qxl.c
+++ b/hw/display/qxl.c
@@ -2136,7 +2136,7 @@  static void qxl_realize_common(PCIQXLDevice *qxl, Error **errp)
     pci_set_byte(&config[PCI_INTERRUPT_PIN], 1);
 
     qxl->rom_size = qxl_rom_size();
-    memory_region_init_ram(&qxl->rom_bar, OBJECT(qxl), "qxl.vrom",
+    memory_region_init_rom(&qxl->rom_bar, OBJECT(qxl), "qxl.vrom",
                            qxl->rom_size, &error_fatal);
     init_qxl_rom(qxl);
     init_qxl_ram(qxl);