diff options
| author | Gerd Hoffmann | 2020-02-25 06:59:19 +0100 |
|---|---|---|
| committer | Gerd Hoffmann | 2020-03-02 08:24:36 +0100 |
| commit | 44b5c1ebfa5db337714180e9d4a8d525da5595d6 (patch) | |
| tree | 4299858e63c79ae06c181ede800e62ce36caa565 | |
| parent | Arithmetic error in EDID generation fixed (diff) | |
| download | qemu-44b5c1ebfa5db337714180e9d4a8d525da5595d6.tar.gz qemu-44b5c1ebfa5db337714180e9d4a8d525da5595d6.tar.xz qemu-44b5c1ebfa5db337714180e9d4a8d525da5595d6.zip | |
qxl: map rom r/o
Map qxl rom read-only into the guest, so the guest can't tamper with the
content. qxl has a shadow copy of the rom to deal with that, but the
shadow doesn't cover the mode list. A privilidged user in the guest can
manipulate the mode list and that to trick qemu into oob reads, leading
to a DoS via segfault if that read access happens to hit unmapped memory.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20200225055920.17261-2-kraxel@redhat.com
| -rw-r--r-- | hw/display/qxl.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/hw/display/qxl.c b/hw/display/qxl.c index 21a43a1d5e..227da69a50 100644 --- a/hw/display/qxl.c +++ b/hw/display/qxl.c @@ -2136,7 +2136,7 @@ static void qxl_realize_common(PCIQXLDevice *qxl, Error **errp) pci_set_byte(&config[PCI_INTERRUPT_PIN], 1); qxl->rom_size = qxl_rom_size(); - memory_region_init_ram(&qxl->rom_bar, OBJECT(qxl), "qxl.vrom", + memory_region_init_rom(&qxl->rom_bar, OBJECT(qxl), "qxl.vrom", qxl->rom_size, &error_fatal); init_qxl_rom(qxl); init_qxl_ram(qxl); |