From: Keir Fraser Date: Tue, 9 Sep 2008 14:02:51 +0000 (+0100) Subject: ioemu: various fixes to 18394:dade7f0bdc8d X-Git-Tag: archive/raspbian/4.8.0-1+rpi1~1^2~14111^2~20 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=8a64d79e8dc38fb7122f1822482427e4315957c9;p=xen.git ioemu: various fixes to 18394:dade7f0bdc8d - fix ioemu segv with old firmware Without notifying ioemu of address, ioemu will segv. - fix qemu-dm segv with malicous firmware If notifying ioemu more than once, ioemu will segv. Usually such cases don't happen, but malicious guest can do it intentionally. Signed-off-by: Isaku Yamahata --- diff --git a/tools/ioemu/hw/cirrus_vga.c b/tools/ioemu/hw/cirrus_vga.c index 64ac7458fe..d41f1ee4e7 100644 --- a/tools/ioemu/hw/cirrus_vga.c +++ b/tools/ioemu/hw/cirrus_vga.c @@ -2554,6 +2554,9 @@ static void set_vram_mapping(CirrusVGAState *s, unsigned long begin, unsigned lo fprintf(logfile,"mapping vram to %lx - %lx\n", begin, end); + if (!s->vram_mfns) + return; + xatp.domid = domid; xatp.space = XENMAPSPACE_mfn; diff --git a/tools/ioemu/hw/vga.c b/tools/ioemu/hw/vga.c index baf96faf51..86fbef858e 100644 --- a/tools/ioemu/hw/vga.c +++ b/tools/ioemu/hw/vga.c @@ -2080,7 +2080,13 @@ void xen_vga_vram_map(uint64_t vram_addr, int copy) if (copy) memcpy(vram, xen_vga_state->vram_ptr, VGA_RAM_SIZE); - qemu_free(xen_vga_state->vram_ptr); + if (xen_vga_state->vram_mfns) { + /* In case this function is called more than once */ + free(xen_vga_state->vram_mfns); + munmap(xen_vga_state->vram_ptr, VGA_RAM_SIZE); + } else { + qemu_free(xen_vga_state->vram_ptr); + } xen_vga_state->vram_ptr = vram; xen_vga_state->vram_mfns = pfn_list; #ifdef CONFIG_STUBDOM