Commit a9e0cb67 authored by Hou Qiming's avatar Hou Qiming Committed by Gerd Hoffmann
Browse files

hw/display/ramfb: lock guest resolution after it's set 



Only allow one resolution change per guest boot, which prevents a
crash when the guest writes garbage to the configuration space (e.g.
when rebooting).

Signed-off-by: default avatarHOU Qiming <hqm03ster@gmail.com>
Signed-off-by: default avatarMarcel Apfelbaum <marcel.apfelbaum@gmail.com>
Message-id: 20190513115731.17588-3-marcel.apfelbaum@gmail.com
[fixed malformed patch]
Signed-off-by: default avatarMarcel Apfelbaum <marcel.apfelbaum@gmail.com>
Signed-off-by: default avatarGerd Hoffmann <kraxel@redhat.com>
parent d57f252a

hw/display/ramfb.c

+22 −4
Original line number Diff line number Diff line
@@ -30,6 +30,7 @@ struct RAMFBState { 
    DisplaySurface *ds;

    uint32_t width, height;

    struct RAMFBCfg cfg;

    bool locked;

};



static void ramfb_unmap_display_surface(pixman_image_t *image, void *unused)
@@ -70,18 +71,25 @@ static DisplaySurface *ramfb_create_display_surface(int width, int height, 
static void ramfb_fw_cfg_write(void *dev, off_t offset, size_t len)

{

    RAMFBState *s = dev;

    uint32_t fourcc, format;

    uint32_t fourcc, format, width, height;

    hwaddr stride, addr;



    s->width  = be32_to_cpu(s->cfg.width);

    s->height = be32_to_cpu(s->cfg.height);

    width     = be32_to_cpu(s->cfg.width);

    height    = be32_to_cpu(s->cfg.height);

    stride    = be32_to_cpu(s->cfg.stride);

    fourcc    = be32_to_cpu(s->cfg.fourcc);

    addr      = be64_to_cpu(s->cfg.addr);

    format    = qemu_drm_format_to_pixman(fourcc);



    fprintf(stderr, "%s: %dx%d @ 0x%" PRIx64 "\n", __func__,

            s->width, s->height, addr);

            width, height, addr);

    if (s->locked) {

        fprintf(stderr, "%s: resolution locked, change rejected\n", __func__);

        return;

    }

    s->locked = true;

    s->width = width;

    s->height = height;

    s->ds = ramfb_create_display_surface(s->width, s->height,

                                         format, stride, addr);

}
@@ -101,6 +109,13 @@ void ramfb_display_update(QemuConsole *con, RAMFBState *s) 
    dpy_gfx_update_full(con);

}



static void ramfb_reset(void *opaque)

{

    RAMFBState *s = (RAMFBState *)opaque;

    s->locked = false;

    memset(&s->cfg, 0, sizeof(s->cfg));

}



RAMFBState *ramfb_setup(Error **errp)

{

    FWCfgState *fw_cfg = fw_cfg_find();
@@ -113,9 +128,12 @@ RAMFBState *ramfb_setup(Error **errp) 


    s = g_new0(RAMFBState, 1);



    s->locked = false;



    rom_add_vga("vgabios-ramfb.bin");

    fw_cfg_add_file_callback(fw_cfg, "etc/ramfb",

                             NULL, ramfb_fw_cfg_write, s,

                             &s->cfg, sizeof(s->cfg), false);

    qemu_register_reset(ramfb_reset, s);

    return s;

}