diff options
| author | Gerd Hoffmann <kraxel@redhat.com> | 2016-04-26 08:49:10 +0200 |
|---|---|---|
| committer | Gerd Hoffmann <kraxel@redhat.com> | 2016-05-02 16:02:59 +0200 |
| commit | 3bf1817079bb0d80c0d8a86a7c7dd0bfe90eb82e (patch) | |
| tree | 9bd6987aa9f48c15ee4bc112ec6bdb481c59fee7 /qapi/qapi-dealloc-visitor.c | |
| parent | 277abf15a60f7653bfb05ffb513ed74ffdaea1b7 (diff) | |
| download | focaccia-qemu-3bf1817079bb0d80c0d8a86a7c7dd0bfe90eb82e.tar.gz focaccia-qemu-3bf1817079bb0d80c0d8a86a7c7dd0bfe90eb82e.zip | |
vga: fix banked access bounds checking (CVE-2016-3710)
vga allows banked access to video memory using the window at 0xa00000
and it supports a different access modes with different address
calculations.
The VBE bochs extentions support banked access too, using the
VBE_DISPI_INDEX_BANK register. The code tries to take the different
address calculations into account and applies different limits to
VBE_DISPI_INDEX_BANK depending on the current access mode.
Which is probably effective in stopping misprogramming by accident.
But from a security point of view completely useless as an attacker
can easily change access modes after setting the bank register.
Drop the bogus check, add range checks to vga_mem_{readb,writeb}
instead.
Fixes: CVE-2016-3710
Reported-by: Qinghao Tang <luodalongde@gmail.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Diffstat (limited to 'qapi/qapi-dealloc-visitor.c')
0 files changed, 0 insertions, 0 deletions