[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH 2/3] adlib: mark as insecure and deprecated.
|
From: |
Paolo Bonzini |
|
Subject: |
Re: [Qemu-devel] [PATCH 2/3] adlib: mark as insecure and deprecated. |
|
Date: |
Fri, 26 Oct 2018 10:48:09 +0200 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.0 |
On 25/10/2018 10:52, Gerd Hoffmann wrote:
> We have a lovely, guest-triggerable buffer overflow in opl2 emulation.
>
> Reproducer:
> outw(0xff60, 0x220);
> outw(0x1020, 0x220);
> outw(0xffb0, 0x220);
> Result:
> Will overflow FM_OPL->AR_TABLE[] (see hw/audio/fmopl.[ch])
I am dumb and I don't understand. In set_ar_dr you get
v = 0xff
ar = 15
dr = 15
and OPL->AR_TABLE[60] is accessed. The size of the array is 75, which
seems to be actually 14 more than required. Likewise OPL->DR_TABLE[60]
is accessed.
The next accesses use SLOT->ksr which is 0 so it's fine too.
Paolo
- Re: [Qemu-devel] [libvirt] [PATCH 3/3] cirrus: mark as deprecated, (continued)
Re: [Qemu-devel] [PATCH 2/3] adlib: mark as insecure and deprecated., Philippe Mathieu-Daudé, 2018/10/25
Re: [Qemu-devel] [PATCH 2/3] adlib: mark as insecure and deprecated., Thomas Huth, 2018/10/25
Re: [Qemu-devel] [PATCH 2/3] adlib: mark as insecure and deprecated.,
Paolo Bonzini <=
[Qemu-devel] [PATCH 1/3] qdev: add deprecation_reason to DeviceClass, Gerd Hoffmann, 2018/10/25