[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v3] ati-vga: check mm_index before recursive call (CVE-2020-1
From: |
Gerd Hoffmann |
Subject: |
Re: [PATCH v3] ati-vga: check mm_index before recursive call (CVE-2020-13800) |
Date: |
Fri, 5 Jun 2020 09:11:56 +0200 |
On Thu, Jun 04, 2020 at 03:59:05PM +0200, BALATON Zoltan wrote:
> On Thu, 4 Jun 2020, Gerd Hoffmann wrote:
> > > + } else if (s->regs.mm_index > MM_DATA + 3) {
> > > val = ati_mm_read(s, s->regs.mm_index + addr - MM_DATA,
> > > size);
> >
> > MM_INDEX is 0
> > MM_DATA is 4
> > "normal" registers start at 8.
> >
> > So we want allow indirect access for offset 8 and above and deny offsets
> > 0-7. mm_index is interpreted with an offset, see "- MM_DATA" in the
> > call above.
>
> MM_INDEX is the register to read, addr - MM_DATA is an offset for unaligned
> access (when guest reads MM_DATA + 1, size=2 then we need to return
> regs[valueof(MM_INDEX) + 1], size=2.
Ah, right. Scratch my comment then, patch is correct.
Added to vga queue.
thanks,
Gerd