From patchwork Wed Aug 26 21:13:34 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Helge Deller X-Patchwork-Id: 275461 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-12.3 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3227AC433DF for ; Wed, 26 Aug 2020 21:23:57 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id DB71D20737 for ; Wed, 26 Aug 2020 21:23:56 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=gmx.net header.i=@gmx.net header.b="XV5XpKWh" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org DB71D20737 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=gmx.de Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Received: from localhost ([::1]:37018 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kB2tf-0005Xv-VV for qemu-devel@archiver.kernel.org; Wed, 26 Aug 2020 17:23:56 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:35228) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kB2k5-0008Ni-Gi for qemu-devel@nongnu.org; Wed, 26 Aug 2020 17:14:01 -0400 Received: from mout.gmx.net ([212.227.17.21]:45629) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kB2k1-0002Uu-Ib for qemu-devel@nongnu.org; Wed, 26 Aug 2020 17:14:01 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1598476427; bh=hyIzH7ivPq7ku2oSW5+xDDT45fhCNW0UoyQcYF08040=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date:In-Reply-To:References; b=XV5XpKWhU/DtxL3Fejif6eGr1wE+3fbGw2aEGQYYZRe0HRhPhGO513YELVx5pLitk Rxmlu/5X0K2zo8tAiuxROc+99P/rWbt+yz9C209ct9CUbdPlRDzEmC/JHBZHcFvR8S o2PAy7mAXeRNDbDuHdQODtKJUSI+wRBUI+/G0/ac= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from ls3530.fritz.box ([92.116.186.77]) by mail.gmx.com (mrgmx105 [212.227.17.168]) with ESMTPSA (Nemesis) id 1MBDnC-1kKRTJ0Wdy-00Cf6z; Wed, 26 Aug 2020 23:13:47 +0200 From: Helge Deller To: peter.maydell@linaro.org, qemu-devel@nongnu.org Subject: [PULL v5 01/12] hw/hppa: Sync hppa_hardware.h file with SeaBIOS sources Date: Wed, 26 Aug 2020 23:13:34 +0200 Message-Id: <20200826211345.14295-2-deller@gmx.de> X-Mailer: git-send-email 2.21.3 In-Reply-To: <20200826211345.14295-1-deller@gmx.de> References: <20200826211345.14295-1-deller@gmx.de> MIME-Version: 1.0 X-Provags-ID: V03:K1:EfP6hbvfVAfqY96KCr0XW5Q2/l1BKDSX9qicixA+RWYKwv2n+M5 9AIVUOwSK8IUPqPjSpzMrmtQ3nSuoQuV532XM+YX9XPCoSGNG7paLsDdCXPd5m/TRZCXR6F 8zDm2acAlrcDorD84dsnuqQjLjckU9T/sv7dFU3xARrzU/CUm3GxUiXZmaa02+ncrHqa6of F0HVwkPnGhNhria/0GcGg== X-UI-Out-Filterresults: notjunk:1; V03:K0:FFjgijAQ3Fk=:WLubzhTfzQb+KAp0FzroE+ 6c4/v3paYdfYfIQqqPFvRuy36DVRt9Jn9Cs8qNprU2adRksf8cowLpjpfd64cQC60TCz3MEdo RcD+95tLkDt8x+t8YrHAFsjAmCEl8p0akiwQJL/RoXamyDt5obZiRINlOB80sJrnVO7cY6YQm ME74jUQSm8FrNrvaMmfC+ULZZOMiNLxMLPg+TwVa0Xk32gSdiQSBmJysSr8xqGQIxiVPdvMxi ReCR1xCfFZSDWlPqZOELjycNl/yl29E/tD32tndTgMrIyw3dE9uJ2D5E1PWExMRSb7o8IqVCl FJxDJhwbDF/HGKveQK6ppPLKRqmXkTZ+eeC2OxBhVhZSLdHYLKJNRECHoCWvSwlUH5If3QiZL av7Ah2Sxgxt58pyEOt7KYNgQpfueuI3KiSUQNv3eaZTdUQEfcOkHucwQPJYdbUtEf3AMZA/1u rj6O9uSYtUu7p54ZdOHQFYRHMIQ0W1+LYZU7T09JdGKYTPnSBjFWpO0rlx88xn0G7WY0AZIYe KiIUazRKEKB3e67iWAxnG4LcYLzNAh68qQs6u/xzb7r9bFiNqX9832WxCIlqQEKTHVSVi96G5 BBaupQQGDcs5TPilyWBVl819MSW/hSGnqBFDP+6yyPEsIOlTyBBzzrHHuFPQwS0lBPEw5X9a8 /1AnEDp8SACztWBZrStKQLSzEOiQhTGowf8HNY5mKrxPAUjda9ReQRTHuYuV2IAPqyWmKtUmd cYA1HeYm3KXs7ALMSxmV1Wh7SXHeHCQWgNxJ9+Waa64xfIchefwPgarHtCngIlgAV3M56AV5w bAFIZg4ojW0vaIBhfqfkYfdjKkzYlUP4oi/dEl6VBKcfaJFV9GdiObS+KLYFb8K56NXgq0gju u7t1OlhJsneU/YQ1jeVI3ke3CGOKi9x+F1KYCBbfylLdh5wzfnfqi8KeTdt+9LbKUbxCyCqxT Pa0ftujaM1WgdNcGfZL7cwAdlwaopsRG6R459uqE6CGAL2dCxC9MvXYBsZAHsgiEcGUcuTa+o FNc9rO+U86m/c7cT2H2MUVEv1rXfsbz/Q5v1UKn3XjvJMMZqInzt3KZaBsznXWgS+fS7smHm3 cWZnlUR/QQyCUX1xRpx2+BKP67wNmvaeCVsRtNRmFbNZs5N+C1bNfVljZe++thfSeky26K259 c01iyco+MGFk9tV/64/Y1u32ni0Qr7tzTyzeFvT6N2UrBoDa2cUpLFiyBaA05ONix36JqidPW Ysw1tJd9vaggQ3D1u Received-SPF: pass client-ip=212.227.17.21; envelope-from=deller@gmx.de; helo=mout.gmx.net X-detected-operating-system: by eggs.gnu.org: First seen = 2020/08/26 17:13:54 X-ACL-Warn: Detected OS = Linux 2.2.x-3.x [generic] X-Spam_score_int: -25 X-Spam_score: -2.6 X-Spam_bar: -- X-Spam_report: (-2.6 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Helge Deller , Richard Henderson , Richard Henderson Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" The hppa_hardware.h file is shared with SeaBIOS. Sync it. Acked-by: Richard Henderson Signed-off-by: Helge Deller --- hw/hppa/hppa_hardware.h | 6 ++++++ hw/hppa/lasi.c | 2 -- 2 files changed, 6 insertions(+), 2 deletions(-) -- 2.21.3 diff --git a/hw/hppa/hppa_hardware.h b/hw/hppa/hppa_hardware.h index 4a2fe2df60..cdb7fa6240 100644 --- a/hw/hppa/hppa_hardware.h +++ b/hw/hppa/hppa_hardware.h @@ -17,6 +17,7 @@ #define LASI_UART_HPA 0xffd05000 #define LASI_SCSI_HPA 0xffd06000 #define LASI_LAN_HPA 0xffd07000 +#define LASI_RTC_HPA 0xffd09000 #define LASI_LPT_HPA 0xffd02000 #define LASI_AUDIO_HPA 0xffd04000 #define LASI_PS2KBD_HPA 0xffd08000 @@ -37,10 +38,15 @@ #define PORT_PCI_CMD (PCI_HPA + DINO_PCI_ADDR) #define PORT_PCI_DATA (PCI_HPA + DINO_CONFIG_DATA) +/* QEMU fw_cfg interface port */ +#define QEMU_FW_CFG_IO_BASE (MEMORY_HPA + 0x80) + #define PORT_SERIAL1 (DINO_UART_HPA + 0x800) #define PORT_SERIAL2 (LASI_UART_HPA + 0x800) #define HPPA_MAX_CPUS 8 /* max. number of SMP CPUs */ #define CPU_CLOCK_MHZ 250 /* emulate a 250 MHz CPU */ +#define CPU_HPA_CR_REG 7 /* store CPU HPA in cr7 (SeaBIOS internal) */ + #endif diff --git a/hw/hppa/lasi.c b/hw/hppa/lasi.c index 19974034f3..ffcbb988b8 100644 --- a/hw/hppa/lasi.c +++ b/hw/hppa/lasi.c @@ -54,8 +54,6 @@ #define LASI_CHIP(obj) \ OBJECT_CHECK(LasiState, (obj), TYPE_LASI_CHIP) -#define LASI_RTC_HPA (LASI_HPA + 0x9000) - typedef struct LasiState { PCIHostState parent_obj; From patchwork Wed Aug 26 21:13:40 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Helge Deller X-Patchwork-Id: 275459 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-12.3 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6CF09C433E1 for ; Wed, 26 Aug 2020 21:30:42 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 31EC120737 for ; Wed, 26 Aug 2020 21:30:42 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=gmx.net header.i=@gmx.net header.b="A+vKLUnO" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 31EC120737 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=gmx.de Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Received: from localhost ([::1]:47132 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kB30D-0001Y6-5k for qemu-devel@archiver.kernel.org; Wed, 26 Aug 2020 17:30:41 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:35298) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kB2k8-0008Pv-Hf for qemu-devel@nongnu.org; Wed, 26 Aug 2020 17:14:04 -0400 Received: from mout.gmx.net ([212.227.17.21]:49659) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kB2k4-0002VJ-CP for qemu-devel@nongnu.org; Wed, 26 Aug 2020 17:14:04 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1598476430; bh=I/Sx/HdpIxh4i9UsobCMs9UPgI56qxrzVMpyXIjjkEc=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date:In-Reply-To:References; b=A+vKLUnOpQ8X4wj95o2osoyVxTUBPi55V+WfpbTpAe56kEX8HL9+NlCmqjqSfgPEU +Ly4hkp1ykhR1YomL4g7PleckDtb/utm2hzJg8Ej+wkl0xm5RHNT+ODAFM6J0myJzu WR5h4uv1LNsTl452rMX7o91svid1W4WVBabJLABA= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from ls3530.fritz.box ([92.116.186.77]) by mail.gmx.com (mrgmx105 [212.227.17.168]) with ESMTPSA (Nemesis) id 1MTABT-1k33D72ged-00UbbQ; Wed, 26 Aug 2020 23:13:50 +0200 From: Helge Deller To: peter.maydell@linaro.org, qemu-devel@nongnu.org Subject: [PULL v5 07/12] hw/display/artist: Refactor artist_rop8() to avoid buffer over-run Date: Wed, 26 Aug 2020 23:13:40 +0200 Message-Id: <20200826211345.14295-8-deller@gmx.de> X-Mailer: git-send-email 2.21.3 In-Reply-To: <20200826211345.14295-1-deller@gmx.de> References: <20200826211345.14295-1-deller@gmx.de> MIME-Version: 1.0 X-Provags-ID: V03:K1:1wsxwE5Kyx6k5ZylHw+ntUtZ/CN38mykVpUhyKA6ikXr5QqiNjg Ll81nhsBVUd4s+X9YzG/fuY0auc/Sq9b7bmPEo2e5y98Jar5Oxkj25VFAy/2pLdDdLS2a2C XkOYvCKRp8/tUEbdaDYJp76hkHH+BwuzK7rDRccdi8/KztXlbb3lWvPKNdhlywduk96zq1p oPAiH/ZdgS+rfenNABSQg== X-UI-Out-Filterresults: notjunk:1; V03:K0:7zjeJTmAIHk=:GY+8UDZslxVdg9Ku+ouMwy ozag1WM3nY7GX3bcceneYSgKqVlzgOEw7Pw58wnqxV+hn/3Lvf7VNMmrStQr1RG9Y59k45df1 VYF/IA/OYY9LpMCVQc1RuyYJRQFY3/KdVHU3xKZzbNNZP3zy4O4gU/OxCjTRp5gSr/VCiFUED lnLsJIzzESYNl6WENMhgidqj5Aci3i1Tv1+gQ2EBg/NF9Mkdy4u3XP8VUs4uj/m0an+v0GKYS eY/gYh6aJ0b4w/IigjGffehesexzT2UCogcvzX/d1+tPdIiuwA9Hw8zRDvihLCAnwFD9U+hsI shQzFAEWMyd2qfBLa+Tkd4HgmeK1eEWlfhEfzb8Wp62ju5uTJ3N/XnGUyUZOj4Ooc27jOat2C gdqbjFA3DJsmmLw/tQG66M0ZfCvY94iyfwHX52gxPBajbMYQTCot5yAFxRPjHBksvsfsSnWRy yebQ3etyUXYc2tsDYyAqChgDkMR01Tue0lNm45Vv3BUx+OsQPRMTm7NaXftp0oCdPOpSxDzX7 QwLkUkLxRtFsgxqt3qHg1EsKDRiJttlqFWEhM2UVKlF9cLAKfauFF1vQAnxf3U9fRiMt1e3df o+z7cngLEIf09NP62FXcP6eA+ClcLSZgj18EU6lKa72VFDqJhMFuu0fGi8AqVLvAFMDlwCrgm e3X2RVKd7aqIdLZKdNm0Cmh5UjaSJp86G7TPIeM/U++N9h7/Q3e8C/xnOzQwgNakB/rlsqZwj 1NiJkcqa3+Fun1twOuXA1mK0iQTQB9MpaD+3EDP/pjjtSPsaRlS/Yk5tzUpE8AZtYoSqVg1z7 RLe7mJ0pz8xjlES3aS2qQVNEoL1ubShrL9ZZR76gZmGmvaZ+wkZ/kReTHDS2ElfFAnFeVYlQF iZTQaS/6f+lOuTlFihNDNFoP9M2sU0XGqVN6s4uQpg9okuaXZBPbhWRXS9RitvksB0UKcX/Gy 2795XbWhdpggLQ7u77YBNe/mxzL738VsGiWreHOIff7VrcMwD/S8pSbyaf/Y/PX+uniSo+X2y LMeUOADAGL9Z3LPV8ibjX/eSAiR6qEcpP8IYRzT+t7b7prosvfZvGqhfxEYyYdbbadqi5+/0Q 7Trlw9p0qKc6fUQS+DxGMMXYh2kDC7GjwwzLfbvX5XRQ0zgGlGFyJpjRvMJlPXSc0PDNdkZ8w s/9gKW+scktGlVdVG59rnGXE1iYYXuUDHNweN3VwD7UoQKAW2shpbqF+W3kKTBW6S9TBVciNS 5Ss/XW7vEYyZutPtR Received-SPF: pass client-ip=212.227.17.21; envelope-from=deller@gmx.de; helo=mout.gmx.net X-detected-operating-system: by eggs.gnu.org: First seen = 2020/08/26 17:13:54 X-ACL-Warn: Detected OS = Linux 2.2.x-3.x [generic] X-Spam_score_int: -25 X-Spam_score: -2.6 X-Spam_bar: -- X-Spam_report: (-2.6 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Helge Deller , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Richard Henderson Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" From: Philippe Mathieu-Daudé Invalid I/O writes can craft an offset out of the vram_buffer range. Instead of passing an unsafe pointer to artist_rop8(), pass the vram_buffer and the offset. We can now check if the offset is in range before accessing it. We avoid: Program terminated with signal SIGSEGV, Segmentation fault. 284 *dst &= ~plane_mask; (gdb) bt #0 0x000056367b2085c0 in artist_rop8 (s=0x56367d38b510, dst=0x7f9f972fffff , val=0 '\000') at hw/display/artist.c:284 #1 0x000056367b209325 in draw_line (s=0x56367d38b510, x1=-20480, y1=-1, x2=0, y2=17920, update_start=true, skip_pix=-1, max_pix=-1) at hw/display/artist.c:646 Reported-by: LLVM libFuzzer Buglink: https://bugs.launchpad.net/qemu/+bug/1880326 Signed-off-by: Philippe Mathieu-Daudé Signed-off-by: Helge Deller --- hw/display/artist.c | 40 +++++++++++++++++++++++++--------------- 1 file changed, 25 insertions(+), 15 deletions(-) -- 2.21.3 diff --git a/hw/display/artist.c b/hw/display/artist.c index a206afe641..47de17b9e9 100644 --- a/hw/display/artist.c +++ b/hw/display/artist.c @@ -273,11 +273,20 @@ static artist_rop_t artist_get_op(ARTISTState *s) return (s->image_bitmap_op >> 8) & 0xf; } -static void artist_rop8(ARTISTState *s, uint8_t *dst, uint8_t val) +static void artist_rop8(ARTISTState *s, struct vram_buffer *buf, + int offset, uint8_t val) { - const artist_rop_t op = artist_get_op(s); - uint8_t plane_mask = s->plane_mask & 0xff; + uint8_t plane_mask; + uint8_t *dst; + + if (offset < 0 || offset >= buf->size) { + qemu_log_mask(LOG_GUEST_ERROR, + "rop8 offset:%d bufsize:%u\n", offset, buf->size); + return; + } + dst = buf->data + offset; + plane_mask = s->plane_mask & 0xff; switch (op) { case ARTIST_ROP_CLEAR: @@ -375,7 +384,7 @@ static void vram_bit_write(ARTISTState *s, int posx, int posy, bool incr_x, for (i = 0; i < pix_count; i++) { uint32_t off = offset + pix_count - 1 - i; if (off < buf->size) { - artist_rop8(s, p + off, + artist_rop8(s, buf, off, (data & 1) ? (s->plane_mask >> 24) : 0); } data >>= 1; @@ -395,7 +404,7 @@ static void vram_bit_write(ARTISTState *s, int posx, int posy, bool incr_x, s->vram_bitmask & (1 << (28 + i))) { uint32_t off = offset + 3 - i; if (off < buf->size) { - artist_rop8(s, p + off, data8[ROP8OFF(i)]); + artist_rop8(s, buf, off, data8[ROP8OFF(i)]); } } } @@ -424,10 +433,10 @@ static void vram_bit_write(ARTISTState *s, int posx, int posy, bool incr_x, if (!(s->image_bitmap_op & 0x20000000) || (vram_bitmask & mask)) { if (data & mask) { - artist_rop8(s, p + offset + i, s->fg_color); + artist_rop8(s, buf, offset + i, s->fg_color); } else { if (!(s->image_bitmap_op & 0x10000002)) { - artist_rop8(s, p + offset + i, s->bg_color); + artist_rop8(s, buf, offset + i, s->bg_color); } } } @@ -505,7 +514,7 @@ static void block_move(ARTISTState *s, int source_x, int source_y, int dest_x, if (dst + column > buf->size || src + column > buf->size) { continue; } - artist_rop8(s, buf->data + dst + column, buf->data[src + column]); + artist_rop8(s, buf, dst + column, buf->data[src + column]); } } @@ -546,7 +555,7 @@ static void fill_window(ARTISTState *s, int startx, int starty, offset = y * s->width; for (x = startx; x < startx + width; x++) { - artist_rop8(s, buf->data + offset + x, color); + artist_rop8(s, buf, offset + x, color); } } artist_invalidate_lines(buf, starty, height); @@ -559,7 +568,6 @@ static void draw_line(ARTISTState *s, int x1, int y1, int x2, int y2, uint8_t color; int dx, dy, t, e, x, y, incy, diago, horiz; bool c1; - uint8_t *p; trace_artist_draw_line(x1, y1, x2, y2); @@ -628,16 +636,18 @@ static void draw_line(ARTISTState *s, int x1, int y1, int x2, int y2, color = artist_get_color(s); do { + int ofs; + if (c1) { - p = buf->data + x * s->width + y; + ofs = x * s->width + y; } else { - p = buf->data + y * s->width + x; + ofs = y * s->width + x; } if (skip_pix > 0) { skip_pix--; } else { - artist_rop8(s, p, color); + artist_rop8(s, buf, ofs, color); } if (e > 0) { @@ -771,10 +781,10 @@ static void font_write16(ARTISTState *s, uint16_t val) for (i = 0; i < 16; i++) { mask = 1 << (15 - i); if (val & mask) { - artist_rop8(s, buf->data + offset + i, color); + artist_rop8(s, buf, offset + i, color); } else { if (!(s->image_bitmap_op & 0x20000000)) { - artist_rop8(s, buf->data + offset + i, s->bg_color); + artist_rop8(s, buf, offset + i, s->bg_color); } } } From patchwork Wed Aug 26 21:13:42 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Helge Deller X-Patchwork-Id: 275458 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-12.3 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2869AC433E1 for ; Wed, 26 Aug 2020 21:36:42 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id CF59120737 for ; Wed, 26 Aug 2020 21:36:41 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=gmx.net header.i=@gmx.net header.b="j0RQJ7OM" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org CF59120737 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=gmx.de Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Received: from localhost ([::1]:55932 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kB360-0005MM-Vm for qemu-devel@archiver.kernel.org; Wed, 26 Aug 2020 17:36:41 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:35314) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kB2k9-0008QT-Ao for qemu-devel@nongnu.org; Wed, 26 Aug 2020 17:14:05 -0400 Received: from mout.gmx.net ([212.227.17.22]:36381) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kB2k4-0002VL-Ca for qemu-devel@nongnu.org; Wed, 26 Aug 2020 17:14:05 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1598476431; bh=FteAIEPVuJTC5Kttr/SwW6t9UCyjdQt5PIs/OZjkss4=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date:In-Reply-To:References; b=j0RQJ7OMMNo2c16d7VKqC8m1sRhfwOCnzi36nxaYo8eg/Zp8nyE1gnWi1XGlL4aZp i3KDWBJ1m9gzNVGnt0bMs9UBnM9LeyYN4MzMSuArCmFmAztsZEwie9j/JyU1GqdjOB jPpEnRFIWdljU0ntosnhgSXr02DHOuJ7ImuPYitI= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from ls3530.fritz.box ([92.116.186.77]) by mail.gmx.com (mrgmx105 [212.227.17.168]) with ESMTPSA (Nemesis) id 1MPXhK-1jxD7V11Dm-00MfVJ; Wed, 26 Aug 2020 23:13:51 +0200 From: Helge Deller To: peter.maydell@linaro.org, qemu-devel@nongnu.org Subject: [PULL v5 09/12] hw/display/artist: Prevent out of VRAM buffer accesses Date: Wed, 26 Aug 2020 23:13:42 +0200 Message-Id: <20200826211345.14295-10-deller@gmx.de> X-Mailer: git-send-email 2.21.3 In-Reply-To: <20200826211345.14295-1-deller@gmx.de> References: <20200826211345.14295-1-deller@gmx.de> MIME-Version: 1.0 X-Provags-ID: V03:K1:PwH7rK16Im5POgWTw7o4Gnioub3m3DWL4gnIvVPEsZg9zvvmc5u TlrEW8N8AVbb8HlWU4dMgUgGqoVCMbT/RWsDR9rjhfUczaFntjsUj9F4VRH3ZwX3c2ecBnL n/LEJr+BOLevdIFyOyYjZx6iAaWctu6S4FeGWqxVGAfg2vxPgS+0Sn2y1DMGs6/LGdfGflq yQrBM9OMegnoUDoNiPvKA== X-UI-Out-Filterresults: notjunk:1; V03:K0:jwHn8yh01c8=:TdIDHjqsLL3A9HBdd6J6bI oIoDWvVySItF+bEDq3X/bxxIXECRG/afoJkMoVXPkgth4bDu9k5414v3toyClDbebhwtMy1VS vFbaE1YafJ0/aol4KZ3ao4f8amrmEFfqsWDB470KBoKaGjTc/kgXipVEnh0XStSUSAAc86SE2 FS7urOmExxyJ89HJ3CjeeageHZMwVQwmU4F01PRVqu0CQFcHMGxZj6wU13g0k0HhmyMP1DZMS KLRqjJ7qApikCLvPbzBuh75IaVLpXo6hrY/w6zEAr18ofAL2AyyAu6WE5wCMy28mLZg4bl6i9 YifnbtL02pp9gIzSBtxfxvvf9g8kEsoobVvsTVlKc/2psJDOY+y8RrFEdhrYDdune2FCxapw2 6mbvNzY6v/CRIB9cUqfjr8KW6uJxbaSbG3VaVYmCo0Sn5hLRC38hl/0m9F4ngvkc4Wy93o/8f w3VluFG2h5B5dcSIG7hH+C+3nIThj8aH94hhKJzAGwtQgLTmz/0BjFPiD1luLtZJrGw7laDZ7 hyq/wnIzCzEkx3ofMChIxzlwASNfdjNYE1B1EM1rISnHSK25TZwhUaA8VnmrI37U+wF3yHPE9 10kZ4Ndhop41kCPOa8GC92xmLcWTWnMWxiWlcmBB9MMneZpH2ws8P2csOpXt6BZTDTRgyONgo 8NF9E4wKBWPmrPUSptH7S8m09xbVbgMV53/a8Wp/Anmp4Hx/wiMr5/8YthlKXucje5Rn+2ETF TqTuap618eVzaTlOp86kUP9VFp3orLvBjv0mRjMFqp0FIAeMSRoxJE6/c3SyrVoI1MYl8VX/X 3CWcD/hfNiAqsRx2lu8HURQbJ0U52peuXFRjecNv3rwg2igxKn/8BU8SaJvDOF36m45YpDarg 12Yex3e2jpJbus8HXDItZLzPpflwxX4AdExGTEqgWj9+yL8YluC4DtWJXhNe7Y1dIyVNmJrHn 43x8Gv2a0BUdwJMuRb6Z6k/gsHjBTuj5wNtJDT7C76+KGiiwkNN7qdFttnGduHP78OWHDcw9T gbyCz7eGyGwfaqQMF5JVf12jyUdlSqGVltRkB/0B3pW0JZgeu+76SYa2PaZGkNn7Mvh12Kjr4 PxaGcUh8TME43C6wTRKel0EhXIE8sDC48qXqPyuwmVdXYFciST5TGvORmJKw4XR7rJahPoarI 9NGqMIUS1uGDcluc0/AEvZrywN1BsOlwtJEAFZMK+gwfT0XOfit/VGssHpKApZ8WgKNp/0tyr ynf/Z0/bN3uSlWfrG Received-SPF: pass client-ip=212.227.17.22; envelope-from=deller@gmx.de; helo=mout.gmx.net X-detected-operating-system: by eggs.gnu.org: First seen = 2020/08/26 16:12:45 X-ACL-Warn: Detected OS = Linux 2.2.x-3.x [generic] X-Spam_score_int: -25 X-Spam_score: -2.6 X-Spam_bar: -- X-Spam_report: (-2.6 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Alexander Bulekov , Helge Deller , Richard Henderson Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Simplify various bounds checks by changing parameters like row and column numbers to become unsigned instead of signed. With that we can check if the calculated offset is bigger than the size of the VRAM region and bail out if not. Reported-by: LLVM libFuzzer Reported-by: Alexander Bulekov Buglink: https://bugs.launchpad.net/qemu/+bug/1880326 Buglink: https://bugs.launchpad.net/qemu/+bug/1890310 Buglink: https://bugs.launchpad.net/qemu/+bug/1890311 Buglink: https://bugs.launchpad.net/qemu/+bug/1890312 Buglink: https://bugs.launchpad.net/qemu/+bug/1890370 Acked-by: Alexander Bulekov Signed-off-by: Helge Deller --- hw/display/artist.c | 110 +++++++++++++++++++++++++++----------------- 1 file changed, 69 insertions(+), 41 deletions(-) -- 2.21.3 diff --git a/hw/display/artist.c b/hw/display/artist.c index f37aa9eb49..46eaa10dae 100644 --- a/hw/display/artist.c +++ b/hw/display/artist.c @@ -35,9 +35,9 @@ struct vram_buffer { MemoryRegion mr; uint8_t *data; - int size; - int width; - int height; + unsigned int size; + unsigned int width; + unsigned int height; }; typedef struct ARTISTState { @@ -274,15 +274,15 @@ static artist_rop_t artist_get_op(ARTISTState *s) } static void artist_rop8(ARTISTState *s, struct vram_buffer *buf, - int offset, uint8_t val) + unsigned int offset, uint8_t val) { const artist_rop_t op = artist_get_op(s); uint8_t plane_mask; uint8_t *dst; - if (offset < 0 || offset >= buf->size) { + if (offset >= buf->size) { qemu_log_mask(LOG_GUEST_ERROR, - "rop8 offset:%d bufsize:%u\n", offset, buf->size); + "rop8 offset:%u bufsize:%u\n", offset, buf->size); return; } dst = buf->data + offset; @@ -294,8 +294,7 @@ static void artist_rop8(ARTISTState *s, struct vram_buffer *buf, break; case ARTIST_ROP_COPY: - *dst &= ~plane_mask; - *dst |= val & plane_mask; + *dst = (*dst & ~plane_mask) | (val & plane_mask); break; case ARTIST_ROP_XOR: @@ -349,7 +348,8 @@ static void vram_bit_write(ARTISTState *s, int posx, int posy, bool incr_x, { struct vram_buffer *buf; uint32_t vram_bitmask = s->vram_bitmask; - int mask, i, pix_count, pix_length, offset, width; + int mask, i, pix_count, pix_length; + unsigned int offset, width; uint8_t *data8, *p; pix_count = vram_write_pix_per_transfer(s); @@ -364,8 +364,7 @@ static void vram_bit_write(ARTISTState *s, int posx, int posy, bool incr_x, offset = posy * width + posx; } - if (!buf->size) { - qemu_log("write to non-existent buffer\n"); + if (!buf->size || offset >= buf->size) { return; } @@ -394,7 +393,9 @@ static void vram_bit_write(ARTISTState *s, int posx, int posy, bool incr_x, case 3: if (s->cmap_bm_access) { - *(uint32_t *)(p + offset) = data; + if (offset + 3 < buf->size) { + *(uint32_t *)(p + offset) = data; + } break; } data8 = (uint8_t *)&data; @@ -464,12 +465,14 @@ static void vram_bit_write(ARTISTState *s, int posx, int posy, bool incr_x, } } -static void block_move(ARTISTState *s, int source_x, int source_y, int dest_x, - int dest_y, int width, int height) +static void block_move(ARTISTState *s, + unsigned int source_x, unsigned int source_y, + unsigned int dest_x, unsigned int dest_y, + unsigned int width, unsigned int height) { struct vram_buffer *buf; int line, endline, lineincr, startcolumn, endcolumn, columnincr, column; - uint32_t dst, src; + unsigned int dst, src; trace_artist_block_move(source_x, source_y, dest_x, dest_y, width, height); @@ -481,6 +484,12 @@ static void block_move(ARTISTState *s, int source_x, int source_y, int dest_x, } buf = &s->vram_buffer[ARTIST_BUFFER_AP]; + if (height > buf->height) { + height = buf->height; + } + if (width > buf->width) { + width = buf->width; + } if (dest_y > source_y) { /* move down */ @@ -507,24 +516,27 @@ static void block_move(ARTISTState *s, int source_x, int source_y, int dest_x, } for ( ; line != endline; line += lineincr) { - src = source_x + ((line + source_y) * buf->width); - dst = dest_x + ((line + dest_y) * buf->width); + src = source_x + ((line + source_y) * buf->width) + startcolumn; + dst = dest_x + ((line + dest_y) * buf->width) + startcolumn; for (column = startcolumn; column != endcolumn; column += columnincr) { - if (dst + column > buf->size || src + column > buf->size) { + if (dst >= buf->size || src >= buf->size) { continue; } - artist_rop8(s, buf, dst + column, buf->data[src + column]); + artist_rop8(s, buf, dst, buf->data[src]); + src += columnincr; + dst += columnincr; } } artist_invalidate_lines(buf, dest_y, height); } -static void fill_window(ARTISTState *s, int startx, int starty, - int width, int height) +static void fill_window(ARTISTState *s, + unsigned int startx, unsigned int starty, + unsigned int width, unsigned int height) { - uint32_t offset; + unsigned int offset; uint8_t color = artist_get_color(s); struct vram_buffer *buf; int x, y; @@ -561,7 +573,9 @@ static void fill_window(ARTISTState *s, int startx, int starty, artist_invalidate_lines(buf, starty, height); } -static void draw_line(ARTISTState *s, int x1, int y1, int x2, int y2, +static void draw_line(ARTISTState *s, + unsigned int x1, unsigned int y1, + unsigned int x2, unsigned int y2, bool update_start, int skip_pix, int max_pix) { struct vram_buffer *buf = &s->vram_buffer[ARTIST_BUFFER_AP]; @@ -571,12 +585,12 @@ static void draw_line(ARTISTState *s, int x1, int y1, int x2, int y2, trace_artist_draw_line(x1, y1, x2, y2); - if (x1 * y1 >= buf->size || x2 * y2 >= buf->size) { - qemu_log_mask(LOG_GUEST_ERROR, - "draw_line (%d,%d) (%d,%d)\n", x1, y1, x2, y2); - return; + if ((x1 >= buf->width && x2 >= buf->width) || + (y1 >= buf->height && y2 >= buf->height)) { + return; } + if (update_start) { s->vram_start = (x2 << 16) | y2; } @@ -633,7 +647,7 @@ static void draw_line(ARTISTState *s, int x1, int y1, int x2, int y2, color = artist_get_color(s); do { - int ofs; + unsigned int ofs; if (c1) { ofs = x * s->width + y; @@ -765,13 +779,14 @@ static void font_write16(ARTISTState *s, uint16_t val) uint16_t mask; int i; - int startx = artist_get_x(s->vram_start); - int starty = artist_get_y(s->vram_start) + s->font_write_pos_y; - int offset = starty * s->width + startx; + unsigned int startx = artist_get_x(s->vram_start); + unsigned int starty = artist_get_y(s->vram_start) + s->font_write_pos_y; + unsigned int offset = starty * s->width + startx; buf = &s->vram_buffer[ARTIST_BUFFER_AP]; - if (offset + 16 > buf->size) { + if (startx >= buf->width || starty >= buf->height || + offset + 16 >= buf->size) { return; } @@ -1135,7 +1150,7 @@ static void artist_vram_write(void *opaque, hwaddr addr, uint64_t val, struct vram_buffer *buf; int posy = (addr >> 11) & 0x3ff; int posx = addr & 0x7ff; - uint32_t offset; + unsigned int offset; trace_artist_vram_write(size, addr, val); if (s->cmap_bm_access) { @@ -1156,18 +1171,28 @@ static void artist_vram_write(void *opaque, hwaddr addr, uint64_t val, } offset = posy * buf->width + posx; + if (offset >= buf->size) { + return; + } + switch (size) { case 4: - *(uint32_t *)(buf->data + offset) = be32_to_cpu(val); - memory_region_set_dirty(&buf->mr, offset, 4); + if (offset + 3 < buf->size) { + *(uint32_t *)(buf->data + offset) = be32_to_cpu(val); + memory_region_set_dirty(&buf->mr, offset, 4); + } break; case 2: - *(uint16_t *)(buf->data + offset) = be16_to_cpu(val); - memory_region_set_dirty(&buf->mr, offset, 2); + if (offset + 1 < buf->size) { + *(uint16_t *)(buf->data + offset) = be16_to_cpu(val); + memory_region_set_dirty(&buf->mr, offset, 2); + } break; case 1: - *(uint8_t *)(buf->data + offset) = val; - memory_region_set_dirty(&buf->mr, offset, 1); + if (offset < buf->size) { + *(uint8_t *)(buf->data + offset) = val; + memory_region_set_dirty(&buf->mr, offset, 1); + } break; default: break; @@ -1183,9 +1208,12 @@ static uint64_t artist_vram_read(void *opaque, hwaddr addr, unsigned size) if (s->cmap_bm_access) { buf = &s->vram_buffer[ARTIST_BUFFER_CMAP]; - val = *(uint32_t *)(buf->data + addr); + val = 0; + if (addr < buf->size && addr + 3 < buf->size) { + val = *(uint32_t *)(buf->data + addr); + } trace_artist_vram_read(size, addr, 0, 0, val); - return 0; + return val; } buf = vram_read_buffer(s); From patchwork Wed Aug 26 21:13:43 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Helge Deller X-Patchwork-Id: 275462 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-12.3 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C06C9C433E3 for ; Wed, 26 Aug 2020 21:18:50 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 741E020737 for ; Wed, 26 Aug 2020 21:18:50 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=gmx.net header.i=@gmx.net header.b="GvYLNww4" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 741E020737 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=gmx.de Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Received: from localhost ([::1]:57064 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kB2oj-0001tQ-CR for qemu-devel@archiver.kernel.org; Wed, 26 Aug 2020 17:18:49 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:35254) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kB2k6-0008On-PF for qemu-devel@nongnu.org; Wed, 26 Aug 2020 17:14:02 -0400 Received: from mout.gmx.net ([212.227.17.20]:46489) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kB2k2-0002V8-Dp for qemu-devel@nongnu.org; Wed, 26 Aug 2020 17:14:02 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1598476431; bh=jLLmqaosE8xt+OARVvHb93VE1fgCMwuTT/uP+6We6T4=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date:In-Reply-To:References; b=GvYLNww4LLRFIOGC3AUpb3D3a2lY3pUlcuG1gxJhaVmLQDRJTPrWzZUJVUR8Osri7 GciXdfs4GrE3ksV+JXJV1G3KgEFaR2pbeYIfA7d+qaauPa4N29hvWshhULR2MShlFl 7rG2zm3RwkReId2iE8BX8xQbWvn0VmTSsTVx1fSw= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from ls3530.fritz.box ([92.116.186.77]) by mail.gmx.com (mrgmx105 [212.227.17.168]) with ESMTPSA (Nemesis) id 1MbzuB-1kkwaG1wJL-00dVXI; Wed, 26 Aug 2020 23:13:51 +0200 From: Helge Deller To: peter.maydell@linaro.org, qemu-devel@nongnu.org Subject: [PULL v5 10/12] hw/display/artist: Unbreak size mismatch memory accesses Date: Wed, 26 Aug 2020 23:13:43 +0200 Message-Id: <20200826211345.14295-11-deller@gmx.de> X-Mailer: git-send-email 2.21.3 In-Reply-To: <20200826211345.14295-1-deller@gmx.de> References: <20200826211345.14295-1-deller@gmx.de> MIME-Version: 1.0 X-Provags-ID: V03:K1:Psglrq9RXhoJHAzhdxSvovQRmJJqqnP2ZQqkOwmD7kneszFlhtu 4Bv5++wev3Jk2SySPPtmIcdIqK3JrmMfwiAr1Le5OlDmaGxyqc3mpLBe+KUEg/CVNWvZeG9 gxN/SDgFF4og8sF15ZOQXwieFpG5qoRWOoYHZ/zVtgOIqSXkdaTqm4dIxXM7/PypTom23vJ LupVbcQtMF/qTTN7ok8Bg== X-UI-Out-Filterresults: notjunk:1; V03:K0:5v7gXEH6Mtg=:9n0cLtKCCWTSNHvbgBt/jQ DKNawPn7FZ5/5mZMhWMO6tq9cpJsI0udsDLT9NSr7/SapEasK8pnCUjJJOtrY7BgOe94KuAOw UBDW0wIyBKU557iRAyiDG1xtYWNoshWVj2uqW+lqLd9jhuSgUaigMAep2FVwPHNXsTj1syrJx plsH5J+2p3aKy/VH0PAG0djZHgJbajH3b2E9wSj/Jft8RWhCEAUZxiD8uA5X3STL2yhRiiHXw lF6fkBQSqoeet07jg2qKA7Q1XEsT9hyNFkdEFtS4GNfhSv7KNR33U42UngCl7VGvZA/JqToKl LPRpnuDAa+A6MDnvcKXGuVRs8lC4gmqWDBHq++dmqHLICk2xO++P7Eong28NANQL/9XFB5j78 d6WwC97BWfEWosUUey1jC58IIamyClqRIeGEJeWmWTPy5tHNh81BM9XmJ/hyg1y/1wa+fP0Wk G07FHevGXEMUYYBqzXVX04Wst3V3E/UoP6zCh1f5vlwNzWSBm7vjsYFI/xd9xv7oIrVAf2QGR 7GPYY6IRtv3tiMmI5ReNRkS/oPKa2D71MjseWVHvePVzAeFdxGuU8w9mDO/7MaBKGqG7wgspX bi8Nfveeq4/5lEVmB1a4yNuC/ZoXrKmHCafKwNI7MsJNBRsriIZc/NivyNLUqM9NqF+d3Cf1F DfqwRulinJW5JGBk2lc4SFl1wjGW5zruSfGB5o5r86FdqRWiji3cB/qXAFKhRAI59o43ShKtk K7vQ6MLncUz/3NKRdJVnyLg/BBlU85l1S6ZQrqzv/Ll0LhEUfe+dqBwxVmwtjHJErZ4UfLvoU AG6LjjTufJUK6MEV18jhQhQr1WCVEx2h9DSB9WtpkVVMeTKJigZSTIdd3IymetTtQP5Gtm2qU Xuby1Vs+qpafb9am4LsEuSZZtIS9Lc3eprQr+FoYy+zD01mUg8klRdZjo0qwmWWfQCWy/72jT d5byk+leiTWFJ/cI1ZPDquPnFijG2DXbtVzLSloGKgK8C4Kr2g2n9VkiJstusPZk6eAaHYRLu R9E/xFjivPSpVtJVaR0wQY6AXh6jvhXmSetdUzsW5w3l6CHe2y7l+UBtboLkg18i9n87Hjfon 0G2+9Nih+Ik5Bw7XK2pNdKY49kzOj1CZPgiUI3KATbTAVDpVpSpxwDl9Z+j+7Bt4rkOzkyIh6 o+Zs6CoV/QcWpNz+iRakcAe6+xlTgOdZkXfWGjZDAyGRmF8OFrCiclq7G/6LOgnT8fJKdaHBq LwX5vOAdv0hWidZ23 Received-SPF: pass client-ip=212.227.17.20; envelope-from=deller@gmx.de; helo=mout.gmx.net X-detected-operating-system: by eggs.gnu.org: First seen = 2020/08/26 17:13:52 X-ACL-Warn: Detected OS = Linux 3.11 and newer X-Spam_score_int: -25 X-Spam_score: -2.6 X-Spam_bar: -- X-Spam_report: (-2.6 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Helge Deller , Sven Schnelle , Richard Henderson Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Commit 5d971f9e6725 ("memory: Revert "memory: accept mismatching sizes in memory_region_access_valid") broke the artist driver in a way that the dtwm window manager on HP-UX rendered wrong. Fixes: 5d971f9e6725 ("memory: Revert "memory: accept mismatching sizes in memory_region_access_valid") Signed-off-by: Sven Schnelle Signed-off-by: Helge Deller --- hw/display/artist.c | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) -- 2.21.3 diff --git a/hw/display/artist.c b/hw/display/artist.c index 46eaa10dae..44bb67bbc3 100644 --- a/hw/display/artist.c +++ b/hw/display/artist.c @@ -1237,20 +1237,16 @@ static const MemoryRegionOps artist_reg_ops = { .read = artist_reg_read, .write = artist_reg_write, .endianness = DEVICE_NATIVE_ENDIAN, - .valid = { - .min_access_size = 1, - .max_access_size = 4, - }, + .impl.min_access_size = 1, + .impl.max_access_size = 4, }; static const MemoryRegionOps artist_vram_ops = { .read = artist_vram_read, .write = artist_vram_write, .endianness = DEVICE_NATIVE_ENDIAN, - .valid = { - .min_access_size = 1, - .max_access_size = 4, - }, + .impl.min_access_size = 1, + .impl.max_access_size = 4, }; static void artist_draw_cursor(ARTISTState *s) From patchwork Wed Aug 26 21:13:45 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Helge Deller X-Patchwork-Id: 275460 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-12.3 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A3703C433DF for ; Wed, 26 Aug 2020 21:24:01 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 5F018207BC for ; Wed, 26 Aug 2020 21:24:01 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=gmx.net header.i=@gmx.net header.b="QaKSXMUD" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 5F018207BC Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=gmx.de Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Received: from localhost ([::1]:37112 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kB2tk-0005aG-5Z for qemu-devel@archiver.kernel.org; Wed, 26 Aug 2020 17:24:00 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:35290) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kB2k8-0008Pf-7M for qemu-devel@nongnu.org; Wed, 26 Aug 2020 17:14:04 -0400 Received: from mout.gmx.net ([212.227.17.20]:36217) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kB2k4-0002VF-CO for qemu-devel@nongnu.org; Wed, 26 Aug 2020 17:14:03 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1598476432; bh=HXCvduzOIXsCQA5SfxLwuvEJdZ32wS45EDx3y1nQsa0=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date:In-Reply-To:References; b=QaKSXMUD3P/1jeQeexokiKtj9BmQ+XUZzeJPthN7vMbZXv5lPAZ8lKlS9vOjy9qjL czPRXfymQJqrRNkC6JLA7GrQpGvy9NMzLGOlZxmE8rVJPtaJJRJROpsx3Mccmb02gx N+NkufX4aBSGY32L0khFgUq6dFMZxS9bggKlH2Ks= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from ls3530.fritz.box ([92.116.186.77]) by mail.gmx.com (mrgmx105 [212.227.17.168]) with ESMTPSA (Nemesis) id 1N0oBx-1kVzy10Rl7-00wpry; Wed, 26 Aug 2020 23:13:52 +0200 From: Helge Deller To: peter.maydell@linaro.org, qemu-devel@nongnu.org Subject: [PULL v5 12/12] hw/display/artist: Fix invalidation of lines near screen border Date: Wed, 26 Aug 2020 23:13:45 +0200 Message-Id: <20200826211345.14295-13-deller@gmx.de> X-Mailer: git-send-email 2.21.3 In-Reply-To: <20200826211345.14295-1-deller@gmx.de> References: <20200826211345.14295-1-deller@gmx.de> MIME-Version: 1.0 X-Provags-ID: V03:K1:RDBnKHFf4kGQXA/YHvyQ9glHI3HKTUNV5XMnUmzEr9wSBdpMmug U5KHWtwxJQq+biP4eL/oTCPAmwnOMeyvje5jugKGdbIi6kcfZIDcIOO4Ysz+IobWkASU6iF T1rYo5uDXJD2xT/IteuqzrHyhLcbFXbZJHrHXBw4AdlthAo3OCHLLqRDYvU98Q98GKryPR4 npMfCdcyrBlvJuAg/PBvw== X-UI-Out-Filterresults: notjunk:1; V03:K0:VD5TO7CI/F4=:mZky4WX7sw2QnUlebBVkJT qgsBZOrixgFAqYZBs0JZbs2frNs5XyegIsi4uNMffsdwtCnCmg2krpzWyEBWhjeB84YLDYdRh VTFocVJ3rW/6jj5ftnYzGcB6lPIM7nJ5u0Rk6EmPQuSCZQjkACUtKvRESa1RFxMNESOItpwzW 9oCWEyPq89YoWzwqzj+Zlw9/Atz3HJ2eNnwUtw/RP3ONm7iaNPtE3dZUmWceBbtBlKSdHSbGJ ivLChlWK5/6pt6bjLfl8SrjB4wQH8zhJuOJoh8IvKx/1IWMUkm5VUvIOix04VnJX7Nd1MY6Zr eYe4YMiF6Yh9Qo0NoAVOZf0ZO69VO4ZipkJNWfvfGwL03Vstp/S/A1nhhtDu2fBYm+wA9cE3i rR4ZdN7befr0G5Xiwc6wG8AdIL/UMBXauxtMVOLtiLumxjFIahMEnlFxgDr5mEUNseZQgcB/F C4fhxCOaLqV82sFabAW0hMZ3JhWo0v6gH7iHVgLPAeBlK7EqsginUJU1oGpDCJ2pht1nMyyX6 TokiOPzso7DwErjOQetokmHSb2p4DzhCBhSUNfFFBL9wJp4zui2uMEWuITV2IHEKV2uL3IysY 6caKbtei+hb/UG0/uFSbTUvKHs3KGX3iasz7JMz+/3gBMnAy8BYmPYekGUmRVcve3WdKMmzNb nZxdVTHBt2wFZME2VI2jqim6ahVH5UpJBbOzFOsXlHEJwxVG8HvSPYMXNRKfEa/CoY7KE3y1Y WSMH/479FGM6bF7POlfgsaUiip34TDJlzDGKS9/BshaGT0/vnRdD6kgQEkecQS/kLpl06+m34 kTyIHXoA1EjKihyYtCZjbWZCF9dqaXiOCe/0OjbGQMN2Hxoo2okgFVpCy1qAIpdsxB85xXYW8 b5rectzPycoGCru2TVTOiebgSnk5rJw1UBLJNbbkCRKNZGFqjXxYxuHahKZWYY7VUcybfgitD YjZ4c0MYe6cN2HGU1BBfbvC6WcTsF5qow4u4Lm6r2lNPCTp64z7Yjev61La1Y3fmPNCqrt7Zs rEVl1CicVogu52a4G3baDyfm2SK2iWMW1+UG3qXwog62Zm7vllvgyCy5NcibnCIMzKL0i82Ow W3OuyqqFQ1gzpD2RRZSOVotn+j8aiD6tt+CLWx/fs9WOPFkZbqBK87pg3QneAAlg8frtyFUr2 oe5bM7WAeB8ZLW4TjzbAdw7+9ltthJDCutf0R2n3kmQOKyRTH0bSQpfB/ybxAOzapw5XXYv5r b1dgCcxH4MlpaQixw Received-SPF: pass client-ip=212.227.17.20; envelope-from=deller@gmx.de; helo=mout.gmx.net X-detected-operating-system: by eggs.gnu.org: First seen = 2020/08/26 17:13:52 X-ACL-Warn: Detected OS = Linux 3.11 and newer X-Spam_score_int: -25 X-Spam_score: -2.6 X-Spam_bar: -- X-Spam_report: (-2.6 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Helge Deller , Sven Schnelle , Richard Henderson Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" From: Sven Schnelle If parts of the invalidated screen lines are outside of the VRAM buffer, the code skips the whole invalidate. This is incorrect when only parts of the buffer are invisble - which is the case when the mouse cursor is located near the screen border. Signed-off-by: Sven Schnelle Signed-off-by: Helge Deller --- hw/display/artist.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) -- 2.21.3 diff --git a/hw/display/artist.c b/hw/display/artist.c index a959b2c158..71982559c6 100644 --- a/hw/display/artist.c +++ b/hw/display/artist.c @@ -206,7 +206,12 @@ static void artist_invalidate_lines(struct vram_buffer *buf, int starty, int height) { int start = starty * buf->width; - int size = height * buf->width; + int size; + + if (starty + height > buf->height) + height = buf->height - starty; + + size = height * buf->width; if (start + size <= buf->size) { memory_region_set_dirty(&buf->mr, start, size);