From cd8fef8d4b2dfeadc68ffb4d741ab23e9e13dad1 Mon Sep 17 00:00:00 2001 From: Anton V. Boyarshinov Date: Wed, 26 Feb 2020 15:20:54 +0300 Subject: Arithmetic error in EDID generation fixed To calculate screen size in centimeters we should calculate: pixels/dpi*2.54 but not pixels*dpi/2540 Using wrong formula we actually get 65 DPI and very small fonts. Signed-off-by: Anton V. Boyarshinov Message-id: 20200226122054.366b9cda@table.localdomain Signed-off-by: Gerd Hoffmann --- hw/display/edid-generate.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hw/display/edid-generate.c b/hw/display/edid-generate.c index 75c945a948..e58472fde5 100644 --- a/hw/display/edid-generate.c +++ b/hw/display/edid-generate.c @@ -360,8 +360,8 @@ void qemu_edid_generate(uint8_t *edid, size_t size, edid[20] = 0xa5; /* screen size: undefined */ - edid[21] = info->prefx * info->dpi / 2540; - edid[22] = info->prefy * info->dpi / 2540; + edid[21] = info->prefx * 254 / 100 / info->dpi; + edid[22] = info->prefy * 254 / 100 / info->dpi; /* display gamma: 2.2 */ edid[23] = 220 - 100; -- cgit v1.2.3-55-g7522 From 44b5c1ebfa5db337714180e9d4a8d525da5595d6 Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann Date: Tue, 25 Feb 2020 06:59:19 +0100 Subject: qxl: map rom r/o Map qxl rom read-only into the guest, so the guest can't tamper with the content. qxl has a shadow copy of the rom to deal with that, but the shadow doesn't cover the mode list. A privilidged user in the guest can manipulate the mode list and that to trick qemu into oob reads, leading to a DoS via segfault if that read access happens to hit unmapped memory. Signed-off-by: Gerd Hoffmann Reviewed-by: Philippe Mathieu-Daudé Message-id: 20200225055920.17261-2-kraxel@redhat.com --- hw/display/qxl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/display/qxl.c b/hw/display/qxl.c index 21a43a1d5e..227da69a50 100644 --- a/hw/display/qxl.c +++ b/hw/display/qxl.c @@ -2136,7 +2136,7 @@ static void qxl_realize_common(PCIQXLDevice *qxl, Error **errp) pci_set_byte(&config[PCI_INTERRUPT_PIN], 1); qxl->rom_size = qxl_rom_size(); - memory_region_init_ram(&qxl->rom_bar, OBJECT(qxl), "qxl.vrom", + memory_region_init_rom(&qxl->rom_bar, OBJECT(qxl), "qxl.vrom", qxl->rom_size, &error_fatal); init_qxl_rom(qxl); init_qxl_ram(qxl); -- cgit v1.2.3-55-g7522