diff options
| author | Peter Maydell <peter.maydell@linaro.org> | 2020-06-05 13:53:05 +0100 |
|---|---|---|
| committer | Peter Maydell <peter.maydell@linaro.org> | 2020-06-05 13:53:05 +0100 |
| commit | 5d2f557b47dfbf8f23277a5bdd8473d4607c681a (patch) | |
| tree | b201eb447b39b4d5699a12e616e71398f251c5ce /hw/display/ati.c | |
| parent | b489f015fbe2bd59d409211f79ea0a8ac5d2a66d (diff) | |
| parent | ae3887e6f08c0031b669d4613987ee51df8f1769 (diff) | |
| download | focaccia-qemu-5d2f557b47dfbf8f23277a5bdd8473d4607c681a.tar.gz focaccia-qemu-5d2f557b47dfbf8f23277a5bdd8473d4607c681a.zip | |
Merge remote-tracking branch 'remotes/kraxel/tags/vga-20200605-pull-request' into staging
vga: ati security fix, cirrus cleanup. # gpg: Signature made Fri 05 Jun 2020 12:27:13 BST # gpg: using RSA key 4CB6D8EED3E87138 # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" [full] # gpg: aka "Gerd Hoffmann <gerd@kraxel.org>" [full] # gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>" [full] # Primary key fingerprint: A032 8CFF B93A 17A7 9901 FE7D 4CB6 D8EE D3E8 7138 * remotes/kraxel/tags/vga-20200605-pull-request: hw/display/cirrus_vga: Fix code mis-indentation ati-vga: check mm_index before recursive call (CVE-2020-13800) Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Diffstat (limited to 'hw/display/ati.c')
| -rw-r--r-- | hw/display/ati.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/hw/display/ati.c b/hw/display/ati.c index 065f197678..67604e68de 100644 --- a/hw/display/ati.c +++ b/hw/display/ati.c @@ -285,8 +285,11 @@ static uint64_t ati_mm_read(void *opaque, hwaddr addr, unsigned int size) if (idx <= s->vga.vram_size - size) { val = ldn_le_p(s->vga.vram_ptr + idx, size); } - } else { + } else if (s->regs.mm_index > MM_DATA + 3) { val = ati_mm_read(s, s->regs.mm_index + addr - MM_DATA, size); + } else { + qemu_log_mask(LOG_GUEST_ERROR, + "ati_mm_read: mm_index too small: %u\n", s->regs.mm_index); } break; case BIOS_0_SCRATCH ... BUS_CNTL - 1: @@ -520,8 +523,11 @@ static void ati_mm_write(void *opaque, hwaddr addr, if (idx <= s->vga.vram_size - size) { stn_le_p(s->vga.vram_ptr + idx, size, data); } - } else { + } else if (s->regs.mm_index > MM_DATA + 3) { ati_mm_write(s, s->regs.mm_index + addr - MM_DATA, data, size); + } else { + qemu_log_mask(LOG_GUEST_ERROR, + "ati_mm_write: mm_index too small: %u\n", s->regs.mm_index); } break; case BIOS_0_SCRATCH ... BUS_CNTL - 1: |