Headline
CVE-2020-13800: [PATCH v2] ati-vga: check mm_index before recursive call
ati-vga in hw/display/ati.c in QEMU 4.2.0 allows guest OS users to trigger infinite recursion via a crafted mm_index value during an ati_mm_read or ati_mm_write call.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
From:
P J P
Subject:
[PATCH v2] ati-vga: check mm_index before recursive call
Date:
Thu, 4 Jun 2020 00:25:22 +0530
From: Prasad J Pandit [email protected]
While accessing VGA registers via ati_mm_read/write routines, a guest may set ‘s->regs.mm_index’ such that it leads to infinite recursion. Check mm_index value to avoid it.
Reported-by: Ren Ding [email protected] Reported-by: Hanqing Zhao [email protected] Reported-by: Yi Ren [email protected] Signed-off-by: Prasad J Pandit [email protected]
hw/display/ati.c | 4 +±- 1 file changed, 2 insertions(+), 2 deletions(-)
Update v2: add check before recursive call -> https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00781.html
diff --git a/hw/display/ati.c b/hw/display/ati.c index 065f197678…bda4a2d816 100644 — a/hw/display/ati.c +++ b/hw/display/ati.c @@ -285,7 +285,7 @@ static uint64_t ati_mm_read(void *opaque, hwaddr addr, unsigned int size) if (idx <= s->vga.vram_size - size) { val = ldn_le_p(s->vga.vram_ptr + idx, size); }
} else {
} else if (s->regs.mm\_index > MM\_DATA + 3) { val = ati\_mm\_read(s, s->regs.mm\_index + addr - MM\_DATA, size); } break;
@@ -520,7 +520,7 @@ static void ati_mm_write(void *opaque, hwaddr addr, if (idx <= s->vga.vram_size - size) { stn_le_p(s->vga.vram_ptr + idx, size, data); }
} else {
} else if (s->regs.mm\_index > MM\_DATA + 3) { ati\_mm\_write(s, s->regs.mm\_index + addr - MM\_DATA, data, size); } break;
– 2.26.2
[PATCH v2] ati-vga: check mm_index before recursive call, P J P <=
- Re: [PATCH v2] ati-vga: check mm_index before recursive call, Philippe Mathieu-Daudé, 2020/06/03
- Re: [PATCH v2] ati-vga: check mm_index before recursive call, BALATON Zoltan, 2020/06/03
- Re: [PATCH v2] ati-vga: check mm_index before recursive call, Daniel P . Berrangé, 2020/06/04
- Re: [PATCH v2] ati-vga: check mm_index before recursive call, P J P, 2020/06/04
Prev by Date: Re: [PATCH v3 14/20] numa: Handle virtio-mem in NUMA stats
Next by Date: Re: [PATCH] ati-vga: increment mm_index in ati_mm_read/write
Previous by thread: [PATCH] hw/sd/sdcard: Restrict Class 6 commands to SCSD cards
Next by thread: Re: [PATCH v2] ati-vga: check mm_index before recursive call
Index(es):
- Date
- Thread