vfio: fix use-after-free in display

kraxel · kraxel · commit 8ec1415935ff · 2020-07-16T10:20:12.000+02:00
Calling ramfb_display_update() might replace the DisplaySurface with the
boot display, which in turn will free the currently active
DisplaySurface.

So clear our DisplaySurface pinter (dpy-&gt;region.surface pointer) to (a)
avoid use-after-free and (b) force replacing the boot display with the
real display when switching back.

Signed-off-by: Gerd Hoffmann &lt;kraxel@redhat.com&gt;
Reviewed-by: Alex Williamson &lt;alex.williamson@redhat.com&gt;
Acked-by: Alex Williamson &lt;alex.williamson@redhat.com&gt;
Message-id: 20200713124520.23266-1-kraxel@redhat.com
diff --git a/hw/vfio/display.c b/hw/vfio/display.c
@@ -405,6 +405,7 @@ static void vfio_display_region_update(void *opaque)
     if (!plane.drm_format || !plane.size) {
         if (dpy->ramfb) {
             ramfb_display_update(dpy->con, dpy->ramfb);
+            dpy->region.surface = NULL;
         }
         return;
     }

Original file line number	Diff line number	Diff line change
`@@ -405,6 +405,7 @@ static void vfio_display_region_update(void *opaque)`
`405`	`405`	`if (!plane.drm_format \|\| !plane.size) {`
`406`	`406`	`if (dpy->ramfb) {`
`407`	`407`	`ramfb_display_update(dpy->con, dpy->ramfb);`
	`408`	`+ dpy->region.surface = NULL;`
`408`	`409`	`}`
`409`	`410`	`return;`
`410`	`411`	`}`