1
From: Denis Rastyogin <gerben@altlinux.org>
1
From: Denis Rastyogin <gerben@altlinux.org>
2
2
3
Accessing an element of the s->core_registers array
3
Accessing an element of the s->core_registers array,
4
with a size of 236 (0x3AC) may lead to a buffer overflow,
4
which has a size of 236 (0x3AC), may lead to a buffer overflow
5
as the index 'offset' can exceed the valid range and reach values
5
if the 'offset' index exceeds the valid range, potentially
6
up to 5139 (0x504C >> 2). This change addresses
6
reaching values up to 5139 (0x504C >> 2). Therefore, the bounds
7
a potential vulnerability when writing data.
7
check has been extended to DP_CORE_REG_ARRAY_SIZE (0x3B0 >> 2).
8
This change addresses a potential vulnerability by ensuring
9
the offset stays within the valid range before writing data.
8
10
9
Found by Linux Verification Center (linuxtesting.org) with SVACE.
11
Found by Linux Verification Center (linuxtesting.org) with SVACE.
10
12
11
Reported-by: David Meliksetyan <d.meliksetyan@fobos-nt.ru>
13
Reported-by: David Meliksetyan <d.meliksetyan@fobos-nt.ru>
12
Signed-off-by: Denis Rastyogin <gerben@altlinux.org>
14
Signed-off-by: Denis Rastyogin <gerben@altlinux.org>
13
---
15
---
14
hw/display/xlnx_dp.c | 2 +-
16
hw/display/xlnx_dp.c | 6 +++++-
15
1 file changed, 1 insertion(+), 1 deletion(-)
17
1 file changed, 5 insertions(+), 1 deletion(-)
16
18
17
diff --git a/hw/display/xlnx_dp.c b/hw/display/xlnx_dp.c
19
diff --git a/hw/display/xlnx_dp.c b/hw/display/xlnx_dp.c
18
index XXXXXXX..XXXXXXX 100644
20
index XXXXXXX..XXXXXXX 100644
19
--- a/hw/display/xlnx_dp.c
21
--- a/hw/display/xlnx_dp.c
20
+++ b/hw/display/xlnx_dp.c
22
+++ b/hw/display/xlnx_dp.c
21
@@ -XXX,XX +XXX,XX @@ static void xlnx_dp_write(void *opaque, hwaddr offset, uint64_t value,
23
@@ -XXX,XX +XXX,XX @@ static void xlnx_dp_write(void *opaque, hwaddr offset, uint64_t value,
22
DPRINTF("core write @%" PRIx64 " = 0x%8.8" PRIX64 "\n", offset, value);
23
24
offset = offset >> 2;
25
+ assert(offset <= (0x3AC >> 2));
26
27
switch (offset) {
28
/*
29
@@ -XXX,XX +XXX,XX @@ static void xlnx_dp_write(void *opaque, hwaddr offset, uint64_t value,
30
xlnx_dp_update_irq(s);
24
xlnx_dp_update_irq(s);
31
break;
25
break;
32
default:
26
default:
33
- assert(offset <= (0x504C >> 2));
27
- assert(offset <= (0x504C >> 2));
28
+ /*
29
+ * Check to ensure the offset is within the bounds of
30
+ * the core_registers[] array.
31
+ */
32
+ assert(offset < DP_CORE_REG_ARRAY_SIZE);
34
s->core_registers[offset] = value;
33
s->core_registers[offset] = value;
35
break;
34
break;
36
}
35
}
37
--
36
--
38
2.42.2
37
2.42.2
diff view generated by jsdifflib