[libvirt] [Qemu-devel] [PATCH 2/3] adlib: mark as insecure and deprecated.
Paolo Bonzini
pbonzini at redhat.com
Fri Oct 26 08:48:09 UTC 2018
On 25/10/2018 10:52, Gerd Hoffmann wrote:
> We have a lovely, guest-triggerable buffer overflow in opl2 emulation.
>
> Reproducer:
> outw(0xff60, 0x220);
> outw(0x1020, 0x220);
> outw(0xffb0, 0x220);
> Result:
> Will overflow FM_OPL->AR_TABLE[] (see hw/audio/fmopl.[ch])
I am dumb and I don't understand. In set_ar_dr you get
v = 0xff
ar = 15
dr = 15
and OPL->AR_TABLE[60] is accessed. The size of the array is 75, which
seems to be actually 14 more than required. Likewise OPL->DR_TABLE[60]
is accessed.
The next accesses use SLOT->ksr which is 0 so it's fine too.
Paolo
More information about the libvir-list
mailing list