|
|
4ec855 |
From 60df0d1b59e02c4ef2964473f84b707153ccad58 Mon Sep 17 00:00:00 2001
|
|
|
4ec855 |
From: Gerd Hoffmann <kraxel@redhat.com>
|
|
|
4ec855 |
Date: Tue, 13 Aug 2019 12:21:56 +0100
|
|
|
4ec855 |
Subject: [PATCH 1/3] console: Avoid segfault in screendump
|
|
|
4ec855 |
MIME-Version: 1.0
|
|
|
4ec855 |
Content-Type: text/plain; charset=UTF-8
|
|
|
4ec855 |
Content-Transfer-Encoding: 8bit
|
|
|
4ec855 |
|
|
|
4ec855 |
RH-Author: Gerd Hoffmann <kraxel@redhat.com>
|
|
|
4ec855 |
Message-id: <20190813122156.5609-2-kraxel@redhat.com>
|
|
|
4ec855 |
Patchwork-id: 89958
|
|
|
4ec855 |
O-Subject: [RHEL-8.1.0 qemu-kvm PATCH 1/1] console: Avoid segfault in screendump
|
|
|
4ec855 |
Bugzilla: 1684383
|
|
|
4ec855 |
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
|
|
4ec855 |
RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
|
|
|
4ec855 |
RH-Acked-by: John Snow <jsnow@redhat.com>
|
|
|
4ec855 |
|
|
|
4ec855 |
From: Michal Privoznik <mprivozn@redhat.com>
|
|
|
4ec855 |
|
|
|
4ec855 |
After f771c5440e04626f1 it is possible to select device and
|
|
|
4ec855 |
head which to take screendump from. And even though we check if
|
|
|
4ec855 |
provided head number falls within range, it may still happen that
|
|
|
4ec855 |
the console has no surface yet leading to SIGSEGV:
|
|
|
4ec855 |
|
|
|
4ec855 |
qemu.git $ ./x86_64-softmmu/qemu-system-x86_64 \
|
|
|
4ec855 |
-qmp stdio \
|
|
|
4ec855 |
-device virtio-vga,id=video0,max_outputs=4
|
|
|
4ec855 |
|
|
|
4ec855 |
{"execute":"qmp_capabilities"}
|
|
|
4ec855 |
{"execute":"screendump", "arguments":{"filename":"/tmp/screen.ppm", "device":"video0", "head":1}}
|
|
|
4ec855 |
Segmentation fault
|
|
|
4ec855 |
|
|
|
4ec855 |
#0 0x00005628249dda88 in ppm_save (filename=0x56282826cbc0 "/tmp/screen.ppm", ds=0x0, errp=0x7fff52a6fae0) at ui/console.c:304
|
|
|
4ec855 |
#1 0x00005628249ddd9b in qmp_screendump (filename=0x56282826cbc0 "/tmp/screen.ppm", has_device=true, device=0x5628276902d0 "video0", has_head=true, head=1, errp=0x7fff52a6fae0) at ui/console.c:375
|
|
|
4ec855 |
#2 0x00005628247740df in qmp_marshal_screendump (args=0x562828265e00, ret=0x7fff52a6fb68, errp=0x7fff52a6fb60) at qapi/qapi-commands-ui.c:110
|
|
|
4ec855 |
|
|
|
4ec855 |
Here, @ds from frame #0 (or @surface from frame #1) is
|
|
|
4ec855 |
dereferenced at the very beginning of ppm_save(). And because
|
|
|
4ec855 |
it's NULL crash happens.
|
|
|
4ec855 |
|
|
|
4ec855 |
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
|
|
|
4ec855 |
Reviewed-by: Thomas Huth <thuth@redhat.com>
|
|
|
4ec855 |
Message-id: cb05bb1909daa6ba62145c0194aafa05a14ed3d1.1526569138.git.mprivozn@redhat.com
|
|
|
4ec855 |
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
|
4ec855 |
(cherry picked from commit 08d9864fa4e0c616e076ca8b225d39a7ecb189af)
|
|
|
4ec855 |
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
|
|
|
4ec855 |
---
|
|
|
4ec855 |
ui/console.c | 5 +++++
|
|
|
4ec855 |
1 file changed, 5 insertions(+)
|
|
|
4ec855 |
|
|
|
4ec855 |
diff --git a/ui/console.c b/ui/console.c
|
|
|
4ec855 |
index 594ec63..4e4052f 100644
|
|
|
4ec855 |
--- a/ui/console.c
|
|
|
4ec855 |
+++ b/ui/console.c
|
|
|
4ec855 |
@@ -370,6 +370,11 @@ void qmp_screendump(const char *filename, bool has_device, const char *device,
|
|
|
4ec855 |
|
|
|
4ec855 |
graphic_hw_update(con);
|
|
|
4ec855 |
surface = qemu_console_surface(con);
|
|
|
4ec855 |
+ if (!surface) {
|
|
|
4ec855 |
+ error_setg(errp, "no surface");
|
|
|
4ec855 |
+ return;
|
|
|
4ec855 |
+ }
|
|
|
4ec855 |
+
|
|
|
4ec855 |
ppm_save(filename, surface, errp);
|
|
|
4ec855 |
}
|
|
|
4ec855 |
|
|
|
4ec855 |
--
|
|
|
4ec855 |
1.8.3.1
|
|
|
4ec855 |
|