ioemu: various fixes to 18394:dade7f0bdc8d

- fix ioemu segv with old firmware
  Without notifying ioemu of address, ioemu will segv.

- fix qemu-dm segv with malicous firmware
  If notifying ioemu more than once, ioemu will segv.

Usually such cases don't happen, but malicious guest can
do it intentionally.

Signed-off-by: Isaku Yamahata <yamahata@valinux.co.jp>

diff --git a/tools/ioemu/hw/cirrus_vga.c b/tools/ioemu/hw/cirrus_vga.c
index 64ac7458fe2b298a1dd4a2269ae09bac9bfc4898..d41f1ee4e790c6ec0fae1f5a0a58414f6173d0a9 100644 (file)
--- a/tools/ioemu/hw/cirrus_vga.c
+++ b/tools/ioemu/hw/cirrus_vga.c
@@ -2554,6 +2554,9 @@ static void set_vram_mapping(CirrusVGAState *s, unsigned long begin, unsigned lo
 
     fprintf(logfile,"mapping vram to %lx - %lx\n", begin, end);
 
+    if (!s->vram_mfns)
+        return;
+
     xatp.domid = domid;
     xatp.space = XENMAPSPACE_mfn;
 

diff --git a/tools/ioemu/hw/vga.c b/tools/ioemu/hw/vga.c
index baf96faf51a432514d2aad7e53cef8c817b27639..86fbef858e6962e842114f34173cf048e31f5611 100644 (file)
--- a/tools/ioemu/hw/vga.c
+++ b/tools/ioemu/hw/vga.c
@@ -2080,7 +2080,13 @@ void xen_vga_vram_map(uint64_t vram_addr, int copy)
 
     if (copy)
         memcpy(vram, xen_vga_state->vram_ptr, VGA_RAM_SIZE);
-    qemu_free(xen_vga_state->vram_ptr);
+    if (xen_vga_state->vram_mfns) {
+        /* In case this function is called more than once */
+        free(xen_vga_state->vram_mfns);
+        munmap(xen_vga_state->vram_ptr, VGA_RAM_SIZE);
+    } else {
+        qemu_free(xen_vga_state->vram_ptr);
+    }
     xen_vga_state->vram_ptr = vram;
     xen_vga_state->vram_mfns = pfn_list;
 #ifdef CONFIG_STUBDOM