spice: fix invalid memory access to vga.vram

vga_common_init() doesn't allow more than 256 MiB vram size and silently shrinks any larger value. qxl_dirty_surfaces() used the unshrinked size via qxl->shadow_rom.surface0_area_size when accessing the memory, which resulted in segfault. Add a workaround for this case and an assert if it happens again. We have to bump the vga memory limit too, because 256 MiB wouldn't have allowed 8k (it requires more than 128 MiB). 1024 MiB doesn't work, but 512 MiB seems fine. Proposed-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Radim Krčmář <rkrcmar@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
qemu · Mar 3, 2015 · 876d516 · 876d516
1 parent 03d9825
commit 876d516
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 2 deletions.
diff --git a/hw/display/qxl.c b/hw/display/qxl.c
@@ -370,6 +370,8 @@ static void init_qxl_rom(PCIQXLDevice *d)
     num_pages         -= surface0_area_size;
     num_pages          = num_pages / QXL_PAGE_SIZE;
 
+    assert(ram_header_size + surface0_area_size <= d->vga.vram_size);
+
     rom->draw_area_offset   = cpu_to_le32(0);
     rom->surface0_area_size = cpu_to_le32(surface0_area_size);
     rom->pages_offset       = cpu_to_le32(surface0_area_size);
@@ -1883,6 +1885,12 @@ static void qxl_init_ramsize(PCIQXLDevice *qxl)
     if (qxl->vgamem_size_mb < 8) {
         qxl->vgamem_size_mb = 8;
     }
+    /* XXX: we round vgamem_size_mb up to a nearest power of two and it must be
+     * less than vga_common_init()'s maximum on qxl->vga.vram_size (512 now).
+     */
+    if (qxl->vgamem_size_mb > 256) {
+        qxl->vgamem_size_mb = 256;
+    }
     qxl->vgamem_size = qxl->vgamem_size_mb * 1024 * 1024;
 
     /* vga ram (bar 0, total) */

diff --git a/hw/display/vga.c b/hw/display/vga.c
@@ -2121,10 +2121,10 @@ void vga_common_init(VGACommonState *s, Object *obj, bool global_vmstate)
         expand4to8[i] = v;
     }
 
-    /* valid range: 1 MB -> 256 MB */
+    /* valid range: 1 MB -> 512 MB */
     s->vram_size = 1024 * 1024;
     while (s->vram_size < (s->vram_size_mb << 20) &&
-           s->vram_size < (256 << 20)) {
+           s->vram_size < (512 << 20)) {
         s->vram_size <<= 1;
     }
     s->vram_size_mb = s->vram_size >> 20;