From patchwork Sat May 24 12:44:59 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Cave-Ayland X-Patchwork-Id: 352106 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 237BA140083 for ; Sat, 24 May 2014 22:50:15 +1000 (EST) Received: from localhost ([::1]:47893 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WoBOv-0001i8-5p for incoming@patchwork.ozlabs.org; Sat, 24 May 2014 08:50:13 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:45480) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WoBMj-0005vc-BY for qemu-devel@nongnu.org; Sat, 24 May 2014 08:48:03 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1WoBMd-00010t-3o for qemu-devel@nongnu.org; Sat, 24 May 2014 08:47:57 -0400 Received: from s16892447.onlinehome-server.info ([82.165.15.123]:33573) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WoBMc-0000zc-U0 for qemu-devel@nongnu.org; Sat, 24 May 2014 08:47:51 -0400 Received: from 4e56a431.skybroadband.com ([78.86.164.49] helo=kentang.lan) by s16892447.onlinehome-server.info with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.76) (envelope-from ) id 1WoBMV-0007Q9-1T; Sat, 24 May 2014 13:47:43 +0100 From: Mark Cave-Ayland To: qemu-devel@nongnu.org Date: Sat, 24 May 2014 13:44:59 +0100 Message-Id: <1400935501-18293-3-git-send-email-mark.cave-ayland@ilande.co.uk> X-Mailer: git-send-email 1.7.10.4 In-Reply-To: <1400935501-18293-1-git-send-email-mark.cave-ayland@ilande.co.uk> References: <1400935501-18293-1-git-send-email-mark.cave-ayland@ilande.co.uk> X-SA-Exim-Connect-IP: 78.86.164.49 X-SA-Exim-Mail-From: mark.cave-ayland@ilande.co.uk X-SA-Exim-Version: 4.2.1 (built Sun, 08 Jan 2012 02:45:44 +0000) X-SA-Exim-Scanned: Yes (on s16892447.onlinehome-server.info) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 82.165.15.123 Cc: Paolo Bonzini , Mark Cave-Ayland Subject: [Qemu-devel] [PATCH 2/4] cg3: add extra check to prevent CG3 register array overflow X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org The case statements in the CG3 read and write register routines have a maximum value of CG3_REG_SIZE, so if a value were written to this offset then it would overflow the register array. Currently this cannot be exploited since the MemoryRegion restricts accesses to the range 0 ... CG3_REG_SIZE - 1, but it seems worth clarifying this for future review and/or static analysis. Signed-off-by: Mark Cave-Ayland CC: Paolo Bonzini --- hw/display/cg3.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hw/display/cg3.c b/hw/display/cg3.c index cd9297d..65ef7a7 100644 --- a/hw/display/cg3.c +++ b/hw/display/cg3.c @@ -177,7 +177,7 @@ static uint64_t cg3_reg_read(void *opaque, hwaddr addr, unsigned size) /* monitor ID 6, board type = 1 (color) */ val = s->regs[1] | CG3_SR_1152_900_76_B | CG3_SR_ID_COLOR; break; - case CG3_REG_FBC_CURSTART ... CG3_REG_SIZE: + case CG3_REG_FBC_CURSTART ... CG3_REG_SIZE - 1: val = s->regs[addr - 0x10]; break; default: @@ -247,7 +247,7 @@ static void cg3_reg_write(void *opaque, hwaddr addr, uint64_t val, qemu_irq_lower(s->irq); } break; - case CG3_REG_FBC_CURSTART ... CG3_REG_SIZE: + case CG3_REG_FBC_CURSTART ... CG3_REG_SIZE - 1: s->regs[addr - 0x10] = val; break; default: