Re: [Qemu-devel] [PATCH] sdl2: Support all virtio-gpu formats

From: Max Reitz <mreitz@redhat.com>
To: Gerd Hoffmann <kraxel@redhat.com>
Cc: qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] [PATCH] sdl2: Support all virtio-gpu formats
Date: Wed, 10 Oct 2018 19:53:43 +0200	[thread overview]
Message-ID: <f464c19e-4d24-61e1-b8f9-aa027675e048@redhat.com> (raw)
In-Reply-To: <0d07e9f7-1924-0e0f-94da-25d25b10e748@redhat.com>

[-- Attachment #1.1: Type: text/plain, Size: 2266 bytes --]

On 10.10.18 19:35, Max Reitz wrote:
> On 10.10.18 12:10, Gerd Hoffmann wrote:
>> On Mon, Oct 08, 2018 at 08:50:13PM +0200, Max Reitz wrote:
>>> There are some 2D resource formats that can be used through virtio-gpu,
>>
>> Ahem, not really.  XRGB is the only one which works in practice, and
>> virtio-gpu kms driver will stop advertising anything else soon (patches
>> should land upstream with the next merge window).
> 
> OK, if virtio-gpu didn't support anything else, that'd be a fix, too.
> But it sounds like you're talking about the Linux driver, I'm not.
> 
> This is not about Linux applications being able to abuse the Linux
> driver to crash the VM, this is about malicious drivers (not necessarily
> Linux drivers).
> 
>>> Add these formats in the switch converting pixman to SDL format
>>> constants so a guest cannot crash the VM by triggering the
>>> g_assert_not_reached() with an unsupported format.
>>
>> Do you have a reproducer for that?
> 
> I have attached two RISC-V kernels, one (kernel-rgbx) setting
> VIRTIO_GPU_FORMAT_R8G8B8X8_UNORM, the other (kernel-bgra) setting
> VIRTIO_GPU_FORMAT_B8G8R8A8_UNORM.  Both crash qemu:

Of course I hadn't.

> $ $QEMU/build/riscv64-softmmu/qemu-system-riscv64 -kernel kernel-rgbx \
>     -serial stdio -M virt -device virtio-gpu-device
> [platform-virt] Virt platform detected
> [virtio-gpu] Found device @0x10008000
> [virtio-gpu] Scanout 0: 0x0:1024x768
> **
> ERROR:$QEMU/ui/sdl2-2d.c:114:sdl2_2d_switch: code should not be reached
> [1]    7151 abort (core dumped)
> 
> So this is not about a misbehaving Linux driver but about an own driver.
>  Of course, if you can insert kernel code, there's noone stopping you
> from hitting that assertion with Linux, too.
> 
>> There is sdl2_2d_check_format() which reports the supported formats.
>> If we hit sdl2_2d_switch() with a format not whitelisted by
>> sdl2_2d_check_format() we have a bug somewhere in qemu ...
> 
> I suppose the other solution would be for virtio_gpu_set_scanout() to
> check whether the resource's format can actually be used for that
> display.  Or in virtio_gpu_resource_create_2d(), I don't know whether
> it's possible to use resources in other formats at all.
> 
> Max
> 

[-- Attachment #1.2: kernel-rgbx.xz --]
[-- Type: application/x-xz, Size: 16592 bytes --]

[-- Attachment #1.3: kernel-bgra.xz --]
[-- Type: application/x-xz, Size: 16612 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]