qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v2] ati-vga: check mm_index before recursive call

From: P J P
Subject: Re: [PATCH v2] ati-vga: check mm_index before recursive call
Date: Thu, 4 Jun 2020 14:44:02 +0530 (IST) 
+-- On Wed, 3 Jun 2020, Philippe Mathieu-Daudé wrote --+
| > -        } else {
| > +        } else if (s->regs.mm_index > MM_DATA + 3) {
| >              val = ati_mm_read(s, s->regs.mm_index + addr - MM_DATA, size);
| 
| We usually log unexpected guest accesses with:
| 
|            } else {
|                qemu_log_mask(LOG_GUEST_ERROR, ...
| 
| > -        } else {
| > +        } else if (s->regs.mm_index > MM_DATA + 3) {
| >              ati_mm_write(s, s->regs.mm_index + addr - MM_DATA, data, size);
| 
| Ditto:
| 
|            } else {
|                qemu_log_mask(LOG_GUEST_ERROR, ...

+-- On Thu, 4 Jun 2020, Daniel P. Berrangé wrote --+
| On Thu, Jun 04, 2020 at 12:25:22AM +0530, P J P wrote:
| > While accessing VGA registers via ati_mm_read/write routines,
| > a guest may set 's->regs.mm_index' such that it leads to infinite
| > recursion. Check mm_index value to avoid it.
| 
| So this is a denial of service security issue. Is there any CVE
| assigned for this ?

Yes, just sent a revised patch v3 with above changes and CVE-ID.

Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D
reply via email to
[Prev in Thread] Current Thread [Next in Thread]