[PULL,1/2] vfio: fix use-after-free in display
Message ID 20200716093119.10740-2-kraxel@redhat.com
State New
Gerd Hoffmann July 16, 2020, 9:31 a.m. UTC
Calling ramfb_display_update() might replace the DisplaySurface with the
boot display, which in turn will free the currently active

So clear our DisplaySurface pinter (dpy->region.surface pointer) to (a)
avoid use-after-free and (b) force replacing the boot display with the
real display when switching back.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Alex Williamson <alex.williamson@redhat.com>
Acked-by: Alex Williamson <alex.williamson@redhat.com>
Message-id: 20200713124520.23266-1-kraxel@redhat.com
 hw/vfio/display.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/vfio/display.c b/hw/vfio/display.c
index a57a22674d62..342054193b3c 100644
--- a/hw/vfio/display.c
+++ b/hw/vfio/display.c
@@ -405,6 +405,7 @@  static void vfio_display_region_update(void *opaque)
     if (!plane.drm_format || !plane.size) {
         if (dpy->ramfb) {
             ramfb_display_update(dpy->con, dpy->ramfb);
+            dpy->region.surface = NULL;