| 1 | From: Denis Rastyogin <gerben@altlinux.org> | 1 | From: Denis Rastyogin <gerben@altlinux.org> |
|---|---|---|---|
| 2 | 2 | ||
| 3 | Accessing an element of the s->core_registers array | 3 | Accessing an element of the s->core_registers array, |
| 4 | with a size of 236 (0x3AC) may lead to a buffer overflow, | 4 | which has a size of 236 (0x3AC), may lead to a buffer overflow |
| 5 | as the index 'offset' can exceed the valid range and reach values | 5 | if the 'offset' index exceeds the valid range, potentially |
| 6 | up to 5139 (0x504C >> 2). This change addresses | 6 | reaching values up to 5139 (0x504C >> 2). The bounds check |
| 7 | a potential vulnerability when writing data. | 7 | has been extended to DP_CORE_REG_ARRAY_SIZE (0x3B0 >> 2) |
| 8 | to ensure the offset remains within the valid range before writing data. | ||
| 9 | |||
| 10 | The memory region is registered to match the size of | ||
| 11 | the core_registers array. This ensures that the guest cannot issue | ||
| 12 | an out-of-bounds write. Therefore, using `assert` remains appropriate | ||
| 13 | to catch internal violations. | ||
| 8 | 14 | ||
| 9 | Found by Linux Verification Center (linuxtesting.org) with SVACE. | 15 | Found by Linux Verification Center (linuxtesting.org) with SVACE. |
| 10 | 16 | ||
| 11 | Reported-by: David Meliksetyan <d.meliksetyan@fobos-nt.ru> | 17 | Reported-by: David Meliksetyan <d.meliksetyan@fobos-nt.ru> |
| 12 | Signed-off-by: Denis Rastyogin <gerben@altlinux.org> | 18 | Signed-off-by: Denis Rastyogin <gerben@altlinux.org> |
| 13 | --- | 19 | --- |
| 14 | hw/display/xlnx_dp.c | 2 +- | 20 | hw/display/xlnx_dp.c | 6 +++++- |
| 15 | 1 file changed, 1 insertion(+), 1 deletion(-) | 21 | 1 file changed, 5 insertions(+), 1 deletion(-) |
| 16 | 22 | ||
| 17 | diff --git a/hw/display/xlnx_dp.c b/hw/display/xlnx_dp.c | 23 | diff --git a/hw/display/xlnx_dp.c b/hw/display/xlnx_dp.c |
| 18 | index XXXXXXX..XXXXXXX 100644 | 24 | index XXXXXXX..XXXXXXX 100644 |
| 19 | --- a/hw/display/xlnx_dp.c | 25 | --- a/hw/display/xlnx_dp.c |
| 20 | +++ b/hw/display/xlnx_dp.c | 26 | +++ b/hw/display/xlnx_dp.c |
| 21 | @@ -XXX,XX +XXX,XX @@ static void xlnx_dp_write(void *opaque, hwaddr offset, uint64_t value, | 27 | @@ -XXX,XX +XXX,XX @@ static void xlnx_dp_write(void *opaque, hwaddr offset, uint64_t value, |
| 22 | DPRINTF("core write @%" PRIx64 " = 0x%8.8" PRIX64 "\n", offset, value); | ||
| 23 | |||
| 24 | offset = offset >> 2; | ||
| 25 | + assert(offset <= (0x3AC >> 2)); | ||
| 26 | |||
| 27 | switch (offset) { | ||
| 28 | /* | ||
| 29 | @@ -XXX,XX +XXX,XX @@ static void xlnx_dp_write(void *opaque, hwaddr offset, uint64_t value, | ||
| 30 | xlnx_dp_update_irq(s); | 28 | xlnx_dp_update_irq(s); |
| 31 | break; | 29 | break; |
| 32 | default: | 30 | default: |
| 33 | - assert(offset <= (0x504C >> 2)); | 31 | - assert(offset <= (0x504C >> 2)); |
| 32 | + /* | ||
| 33 | + * Check to ensure the offset is within the bounds of | ||
| 34 | + * the core_registers[] array. | ||
| 35 | + */ | ||
| 36 | + assert(offset < DP_CORE_REG_ARRAY_SIZE); | ||
| 34 | s->core_registers[offset] = value; | 37 | s->core_registers[offset] = value; |
| 35 | break; | 38 | break; |
| 36 | } | 39 | } |
| 37 | -- | 40 | -- |
| 38 | 2.42.2 | 41 | 2.42.2 | diff view generated by jsdifflib |