| Message ID | 20200225055920.17261-2-kraxel@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | qxl: map rom r/o, remove shadow. | expand |
On 2/25/20 6:59 AM, Gerd Hoffmann wrote: > Map qxl rom read-only into the guest, so the guest can't tamper with the > content. qxl has a shadow copy of the rom to deal with that, but the > shadow doesn't cover the mode list. A privilidged user in the guest can > manipulate the mode list and that to trick qemu into oob reads, leading > to a DoS via segfault if that read access happens to hit unmapped memory. > > Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> > --- > hw/display/qxl.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/hw/display/qxl.c b/hw/display/qxl.c > index 21a43a1d5ec2..227da69a50d9 100644 > --- a/hw/display/qxl.c > +++ b/hw/display/qxl.c > @@ -2136,7 +2136,7 @@ static void qxl_realize_common(PCIQXLDevice *qxl, Error **errp) > pci_set_byte(&config[PCI_INTERRUPT_PIN], 1); > > qxl->rom_size = qxl_rom_size(); > - memory_region_init_ram(&qxl->rom_bar, OBJECT(qxl), "qxl.vrom", > + memory_region_init_rom(&qxl->rom_bar, OBJECT(qxl), "qxl.vrom", > qxl->rom_size, &error_fatal); > init_qxl_rom(qxl); > init_qxl_ram(qxl); > Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
diff --git a/hw/display/qxl.c b/hw/display/qxl.c index 21a43a1d5ec2..227da69a50d9 100644 --- a/hw/display/qxl.c +++ b/hw/display/qxl.c @@ -2136,7 +2136,7 @@ static void qxl_realize_common(PCIQXLDevice *qxl, Error **errp) pci_set_byte(&config[PCI_INTERRUPT_PIN], 1); qxl->rom_size = qxl_rom_size(); - memory_region_init_ram(&qxl->rom_bar, OBJECT(qxl), "qxl.vrom", + memory_region_init_rom(&qxl->rom_bar, OBJECT(qxl), "qxl.vrom", qxl->rom_size, &error_fatal); init_qxl_rom(qxl); init_qxl_ram(qxl);
Map qxl rom read-only into the guest, so the guest can't tamper with the content. qxl has a shadow copy of the rom to deal with that, but the shadow doesn't cover the mode list. A privilidged user in the guest can manipulate the mode list and that to trick qemu into oob reads, leading to a DoS via segfault if that read access happens to hit unmapped memory. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> --- hw/display/qxl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)