Series comparison | Patchew

-[PATCH v2] hw/display: refine upper limit for offset value in assert check
+[PATCH v3] hw/display: refine upper limit for offset value in assert check
 From: Denis Rastyogin <gerben@altlinux.org>
 Accessing an element of the s->core_registers array,
 which has a size of 236 (0x3AC), may lead to a buffer overflow
 if the 'offset' index exceeds the valid range, potentially
-reaching values up to 5139 (0x504C >> 2). Therefore, the bounds
+reaching values up to 5139 (0x504C >> 2). The bounds check
-check has been extended to DP_CORE_REG_ARRAY_SIZE (0x3B0 >> 2).
+has been extended to DP_CORE_REG_ARRAY_SIZE (0x3B0 >> 2)
-This change addresses a potential vulnerability by ensuring
+to ensure the offset remains within the valid range before writing data.
-the offset stays within the valid range before writing data.
 The memory region is registered to match the size of
 the core_registers array. This ensures that the guest cannot issue
 an out-of-bounds write. Therefore, using `assert` remains appropriate
 to catch internal violations.
 Found by Linux Verification Center (linuxtesting.org) with SVACE.
 Reported-by: David Meliksetyan <d.meliksetyan@fobos-nt.ru>
 Signed-off-by: Denis Rastyogin <gerben@altlinux.org>
 ...

From: Denis Rastyogin <gerben@altlinux.org>

Accessing an element of the s->core_registers array,
which has a size of 236 (0x3AC), may lead to a buffer overflow
if the 'offset' index exceeds the valid range, potentially
reaching values up to 5139 (0x504C >> 2). Therefore, the bounds
check has been extended to DP_CORE_REG_ARRAY_SIZE (0x3B0 >> 2).
This change addresses a potential vulnerability by ensuring
the offset stays within the valid range before writing data.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Reported-by: David Meliksetyan <d.meliksetyan@fobos-nt.ru>
Signed-off-by: Denis Rastyogin <gerben@altlinux.org>
---
 hw/display/xlnx_dp.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/hw/display/xlnx_dp.c b/hw/display/xlnx_dp.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/display/xlnx_dp.c
+++ b/hw/display/xlnx_dp.c
@@ -XXX,XX +XXX,XX @@ static void xlnx_dp_write(void *opaque, hwaddr offset, uint64_t value,
         xlnx_dp_update_irq(s);
         break;
     default:
-        assert(offset <= (0x504C >> 2));
+        /*
+         * Check to ensure the offset is within the bounds of
+         * the core_registers[] array.
+        */
+        assert(offset < DP_CORE_REG_ARRAY_SIZE);
         s->core_registers[offset] = value;
         break;
     }
-- 
2.42.2

From: Denis Rastyogin <gerben@altlinux.org>

Accessing an element of the s->core_registers array,
which has a size of 236 (0x3AC), may lead to a buffer overflow
if the 'offset' index exceeds the valid range, potentially
reaching values up to 5139 (0x504C >> 2). The bounds check
has been extended to DP_CORE_REG_ARRAY_SIZE (0x3B0 >> 2)
to ensure the offset remains within the valid range before writing data.

The memory region is registered to match the size of
the core_registers array. This ensures that the guest cannot issue
an out-of-bounds write. Therefore, using `assert` remains appropriate
to catch internal violations.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Reported-by: David Meliksetyan <d.meliksetyan@fobos-nt.ru>
Signed-off-by: Denis Rastyogin <gerben@altlinux.org>
---
 hw/display/xlnx_dp.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/hw/display/xlnx_dp.c b/hw/display/xlnx_dp.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/display/xlnx_dp.c
+++ b/hw/display/xlnx_dp.c
@@ -XXX,XX +XXX,XX @@ static void xlnx_dp_write(void *opaque, hwaddr offset, uint64_t value,
         xlnx_dp_update_irq(s);
         break;
     default:
-        assert(offset <= (0x504C >> 2));
+        /*
+         * Check to ensure the offset is within the bounds of
+         * the core_registers[] array.
+        */
+        assert(offset < DP_CORE_REG_ARRAY_SIZE);
         s->core_registers[offset] = value;
         break;
     }
-- 
2.42.2