Hi,
Another pile of cirrus blitter fixes, including cve fixes for known
issues, so clearly 2.9 material.
Patches 6+7 implement a new approach to blitter memory access sanity
checking. We pass around offsets not pointers, and at the place where
the actual memory access happens we mask the offset to the valid
range before calculating the pointer.
That should put an end to security holes due to blit_is_unsafe() sanity
checks failing to calculate some special case correctly, or due to
blit_is_unsafe() calls missing, and kill any dragons which might still
be lurking in the code. In theory this even obsoletes blit_is_unsafe(),
but I don't feel like ripping it out right away ...
please pull,
Gerd
The following changes since commit 1883ff34b540daacae948f493b0ba525edf5f642:
Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging
(2017-03-15 18:44:05 +0000)
are available in the git repository at:
git://git.kraxel.org/qemu tags/pull-cirrus-20170316-1
for you to fetch changes up to ffaf857778286ca54e3804432a2369a279e73aa7:
cirrus: stop passing around src pointers in the blitter (2017-03-16 08:58:16
+0100)
----------------------------------------------------------------
cirrus: blitter fixes.
----------------------------------------------------------------
Gerd Hoffmann (6):
cirrus/vnc: zap bitblit support from console code.
cirrus: switch to 4 MB video memory by default
cirrus: add option to disable blitter
cirrus: fix cirrus_invalidate_region
cirrus: stop passing around dst pointers in the blitter
cirrus: stop passing around src pointers in the blitter
hangaohuai (1):
fix :cirrus_vga fix OOB read case qemu Segmentation fault
hw/display/cirrus_vga.c | 106 ++++++++++++++++--------
hw/display/cirrus_vga_rop.h | 191 ++++++++++++++++++++++++++-----------------
hw/display/cirrus_vga_rop2.h | 125 ++++++++++++++--------------
include/hw/compat.h | 8 ++
include/ui/console.h | 7 --
ui/console.c | 28 -------
ui/vnc.c | 100 ----------------------
7 files changed, 259 insertions(+), 306 deletions(-)
