Commit 8ec14159 authored by Gerd Hoffmann's avatar Gerd Hoffmann
Browse files

vfio: fix use-after-free in display 



Calling ramfb_display_update() might replace the DisplaySurface with the
boot display, which in turn will free the currently active
DisplaySurface.

So clear our DisplaySurface pinter (dpy->region.surface pointer) to (a)
avoid use-after-free and (b) force replacing the boot display with the
real display when switching back.

Signed-off-by: default avatarGerd Hoffmann <kraxel@redhat.com>
Reviewed-by: default avatarAlex Williamson <alex.williamson@redhat.com>
Acked-by: default avatarAlex Williamson <alex.williamson@redhat.com>
Message-id: 20200713124520.23266-1-kraxel@redhat.com
parent 87463091

hw/vfio/display.c

+1 −0
Original line number Diff line number Diff line
@@ -405,6 +405,7 @@ static void vfio_display_region_update(void *opaque) 
    if (!plane.drm_format || !plane.size) {

        if (dpy->ramfb) {

            ramfb_display_update(dpy->con, dpy->ramfb);

            dpy->region.surface = NULL;

        }

        return;

    }