[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v2] ati-vga: check mm_index before recursive call
From: |
P J P |
Subject: |
Re: [PATCH v2] ati-vga: check mm_index before recursive call |
Date: |
Thu, 4 Jun 2020 14:44:02 +0530 (IST) |
+-- On Wed, 3 Jun 2020, Philippe Mathieu-Daudé wrote --+
| > - } else {
| > + } else if (s->regs.mm_index > MM_DATA + 3) {
| > val = ati_mm_read(s, s->regs.mm_index + addr - MM_DATA, size);
|
| We usually log unexpected guest accesses with:
|
| } else {
| qemu_log_mask(LOG_GUEST_ERROR, ...
|
| > - } else {
| > + } else if (s->regs.mm_index > MM_DATA + 3) {
| > ati_mm_write(s, s->regs.mm_index + addr - MM_DATA, data, size);
|
| Ditto:
|
| } else {
| qemu_log_mask(LOG_GUEST_ERROR, ...
+-- On Thu, 4 Jun 2020, Daniel P. Berrangé wrote --+
| On Thu, Jun 04, 2020 at 12:25:22AM +0530, P J P wrote:
| > While accessing VGA registers via ati_mm_read/write routines,
| > a guest may set 's->regs.mm_index' such that it leads to infinite
| > recursion. Check mm_index value to avoid it.
|
| So this is a denial of service security issue. Is there any CVE
| assigned for this ?
Yes, just sent a revised patch v3 with above changes and CVE-ID.
Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D