yeahuh / rpms / qemu-kvm

Forked from rpms/qemu-kvm 2 years ago
Clone
4ec855
From 60df0d1b59e02c4ef2964473f84b707153ccad58 Mon Sep 17 00:00:00 2001
4ec855
From: Gerd Hoffmann <kraxel@redhat.com>
4ec855
Date: Tue, 13 Aug 2019 12:21:56 +0100
4ec855
Subject: [PATCH 1/3] console: Avoid segfault in screendump
4ec855
MIME-Version: 1.0
4ec855
Content-Type: text/plain; charset=UTF-8
4ec855
Content-Transfer-Encoding: 8bit
4ec855
4ec855
RH-Author: Gerd Hoffmann <kraxel@redhat.com>
4ec855
Message-id: <20190813122156.5609-2-kraxel@redhat.com>
4ec855
Patchwork-id: 89958
4ec855
O-Subject: [RHEL-8.1.0 qemu-kvm PATCH 1/1] console: Avoid segfault in screendump
4ec855
Bugzilla: 1684383
4ec855
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
4ec855
RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
4ec855
RH-Acked-by: John Snow <jsnow@redhat.com>
4ec855
4ec855
From: Michal Privoznik <mprivozn@redhat.com>
4ec855
4ec855
After f771c5440e04626f1 it is possible to select device and
4ec855
head which to take screendump from. And even though we check if
4ec855
provided head number falls within range, it may still happen that
4ec855
the console has no surface yet leading to SIGSEGV:
4ec855
4ec855
  qemu.git $ ./x86_64-softmmu/qemu-system-x86_64 \
4ec855
    -qmp stdio \
4ec855
    -device virtio-vga,id=video0,max_outputs=4
4ec855
4ec855
  {"execute":"qmp_capabilities"}
4ec855
  {"execute":"screendump", "arguments":{"filename":"/tmp/screen.ppm", "device":"video0", "head":1}}
4ec855
  Segmentation fault
4ec855
4ec855
 #0  0x00005628249dda88 in ppm_save (filename=0x56282826cbc0 "/tmp/screen.ppm", ds=0x0, errp=0x7fff52a6fae0) at ui/console.c:304
4ec855
 #1  0x00005628249ddd9b in qmp_screendump (filename=0x56282826cbc0 "/tmp/screen.ppm", has_device=true, device=0x5628276902d0 "video0", has_head=true, head=1, errp=0x7fff52a6fae0) at ui/console.c:375
4ec855
 #2  0x00005628247740df in qmp_marshal_screendump (args=0x562828265e00, ret=0x7fff52a6fb68, errp=0x7fff52a6fb60) at qapi/qapi-commands-ui.c:110
4ec855
4ec855
Here, @ds from frame #0 (or @surface from frame #1) is
4ec855
dereferenced at the very beginning of ppm_save(). And because
4ec855
it's NULL crash happens.
4ec855
4ec855
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
4ec855
Reviewed-by: Thomas Huth <thuth@redhat.com>
4ec855
Message-id: cb05bb1909daa6ba62145c0194aafa05a14ed3d1.1526569138.git.mprivozn@redhat.com
4ec855
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
4ec855
(cherry picked from commit 08d9864fa4e0c616e076ca8b225d39a7ecb189af)
4ec855
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
4ec855
---
4ec855
 ui/console.c | 5 +++++
4ec855
 1 file changed, 5 insertions(+)
4ec855
4ec855
diff --git a/ui/console.c b/ui/console.c
4ec855
index 594ec63..4e4052f 100644
4ec855
--- a/ui/console.c
4ec855
+++ b/ui/console.c
4ec855
@@ -370,6 +370,11 @@ void qmp_screendump(const char *filename, bool has_device, const char *device,
4ec855
 
4ec855
     graphic_hw_update(con);
4ec855
     surface = qemu_console_surface(con);
4ec855
+    if (!surface) {
4ec855
+        error_setg(errp, "no surface");
4ec855
+        return;
4ec855
+    }
4ec855
+
4ec855
     ppm_save(filename, surface, errp);
4ec855
 }
4ec855
 
4ec855
-- 
4ec855
1.8.3.1
4ec855