Re: [PATCH v3] ati-vga: check mm_index before recursive call (CVE-2020-1

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v3] ati-vga: check mm_index before recursive call (CVE-2020-1

From:	Gerd Hoffmann
Subject:	Re: [PATCH v3] ati-vga: check mm_index before recursive call (CVE-2020-13800)
Date:	Thu, 4 Jun 2020 15:47:27 +0200

> +        } else if (s->regs.mm_index > MM_DATA + 3) {
>              val = ati_mm_read(s, s->regs.mm_index + addr - MM_DATA, size);

MM_INDEX is 0
MM_DATA  is 4
"normal" registers start at 8.

So we want allow indirect access for offset 8 and above and deny offsets
0-7.  mm_index is interpreted with an offset, see "- MM_DATA" in the
call above.

Not clear to me why this offset is 4, that doesn't make sense to me.
I'd expect either no offset or offset being 8.  BALATON, can you
double-check that with the specs?

Assuming offset 4 is correct we must require mm_index being larger than
MM_DATA + MM_DATA + 3 ( == 11) to compensate for the offset.

take care,
  Gerd

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH v3] ati-vga: check mm_index before recursive call (CVE-2020-13800), P J P, 2020/06/04
- Re: [PATCH v3] ati-vga: check mm_index before recursive call (CVE-2020-13800), Gerd Hoffmann <=
  - Re: [PATCH v3] ati-vga: check mm_index before recursive call (CVE-2020-13800), BALATON Zoltan, 2020/06/04
    - Re: [PATCH v3] ati-vga: check mm_index before recursive call (CVE-2020-13800), Gerd Hoffmann, 2020/06/05

Prev by Date: Re: [PATCH] qga: fix assert regression on guest-shutdown
Next by Date: Re: [PATCH v2 1/7] qdev: add support for device module loading
Previous by thread: [PATCH v3] ati-vga: check mm_index before recursive call (CVE-2020-13800)
Next by thread: Re: [PATCH v3] ati-vga: check mm_index before recursive call (CVE-2020-13800)
Index(es):
- Date
- Thread