1 | From: Denis Rastyogin <gerben@altlinux.org> | 1 | From: Denis Rastyogin <gerben@altlinux.org> |
---|---|---|---|
2 | 2 | ||
3 | Accessing an element of the s->core_registers array | 3 | Accessing an element of the s->core_registers array, |
4 | with a size of 236 (0x3AC) may lead to a buffer overflow, | 4 | which has a size of 236 (0x3AC), may lead to a buffer overflow |
5 | as the index 'offset' can exceed the valid range and reach values | 5 | if the 'offset' index exceeds the valid range, potentially |
6 | up to 5139 (0x504C >> 2). This change addresses | 6 | reaching values up to 5139 (0x504C >> 2). Therefore, the bounds |
7 | a potential vulnerability when writing data. | 7 | check has been extended to DP_CORE_REG_ARRAY_SIZE (0x3B0 >> 2). |
8 | This change addresses a potential vulnerability by ensuring | ||
9 | the offset stays within the valid range before writing data. | ||
8 | 10 | ||
9 | Found by Linux Verification Center (linuxtesting.org) with SVACE. | 11 | Found by Linux Verification Center (linuxtesting.org) with SVACE. |
10 | 12 | ||
11 | Reported-by: David Meliksetyan <d.meliksetyan@fobos-nt.ru> | 13 | Reported-by: David Meliksetyan <d.meliksetyan@fobos-nt.ru> |
12 | Signed-off-by: Denis Rastyogin <gerben@altlinux.org> | 14 | Signed-off-by: Denis Rastyogin <gerben@altlinux.org> |
13 | --- | 15 | --- |
14 | hw/display/xlnx_dp.c | 2 +- | 16 | hw/display/xlnx_dp.c | 6 +++++- |
15 | 1 file changed, 1 insertion(+), 1 deletion(-) | 17 | 1 file changed, 5 insertions(+), 1 deletion(-) |
16 | 18 | ||
17 | diff --git a/hw/display/xlnx_dp.c b/hw/display/xlnx_dp.c | 19 | diff --git a/hw/display/xlnx_dp.c b/hw/display/xlnx_dp.c |
18 | index XXXXXXX..XXXXXXX 100644 | 20 | index XXXXXXX..XXXXXXX 100644 |
19 | --- a/hw/display/xlnx_dp.c | 21 | --- a/hw/display/xlnx_dp.c |
20 | +++ b/hw/display/xlnx_dp.c | 22 | +++ b/hw/display/xlnx_dp.c |
21 | @@ -XXX,XX +XXX,XX @@ static void xlnx_dp_write(void *opaque, hwaddr offset, uint64_t value, | 23 | @@ -XXX,XX +XXX,XX @@ static void xlnx_dp_write(void *opaque, hwaddr offset, uint64_t value, |
22 | DPRINTF("core write @%" PRIx64 " = 0x%8.8" PRIX64 "\n", offset, value); | ||
23 | |||
24 | offset = offset >> 2; | ||
25 | + assert(offset <= (0x3AC >> 2)); | ||
26 | |||
27 | switch (offset) { | ||
28 | /* | ||
29 | @@ -XXX,XX +XXX,XX @@ static void xlnx_dp_write(void *opaque, hwaddr offset, uint64_t value, | ||
30 | xlnx_dp_update_irq(s); | 24 | xlnx_dp_update_irq(s); |
31 | break; | 25 | break; |
32 | default: | 26 | default: |
33 | - assert(offset <= (0x504C >> 2)); | 27 | - assert(offset <= (0x504C >> 2)); |
28 | + /* | ||
29 | + * Check to ensure the offset is within the bounds of | ||
30 | + * the core_registers[] array. | ||
31 | + */ | ||
32 | + assert(offset < DP_CORE_REG_ARRAY_SIZE); | ||
34 | s->core_registers[offset] = value; | 33 | s->core_registers[offset] = value; |
35 | break; | 34 | break; |
36 | } | 35 | } |
37 | -- | 36 | -- |
38 | 2.42.2 | 37 | 2.42.2 | diff view generated by jsdifflib |