[libvirt] [Qemu-devel] [PATCH 2/3] adlib: mark as insecure and deprecated.
P J P
ppandit at redhat.com
Fri Oct 26 09:34:55 UTC 2018
+-- On Fri, 26 Oct 2018, Paolo Bonzini wrote --+
| I am dumb and I don't understand. In set_ar_dr you get
|
| v = 0xff
| ar = 15
| dr = 15
|
| and OPL->AR_TABLE[60] is accessed. The size of the array is 75, which
| seems to be actually 14 more than required. Likewise OPL->DR_TABLE[60]
| is accessed.
|
| The next accesses use SLOT->ksr which is 0 so it's fine too.
In set_ar_dr
SLOT->AR = ar ? &OPL->AR_TABLE[ar<<2] : RATE_0;
SLOT->AR is set to point to OPL->DR_TABLE[60] and while so if s->ksr is set to
15, in CALC_FCSLOT()
SLOT->evsa = SLOT->AR[ksr]; <= accesses OPL->AR_TABLE[60 + 15];
Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
More information about the libvir-list
mailing list