+-- On Thu, 25 Oct 2018, Gerd Hoffmann wrote --+
| We have a lovely, guest-triggerable buffer overflow in opl2 emulation.
|
| Reproducer:
| outw(0xff60, 0x220);
| outw(0x1020, 0x220);
| outw(0xffb0, 0x220);
| Result:
| Will overflow FM_OPL->AR_TABLE[] (see hw/audio/fmopl.[ch])
+ Reported-by: Wangjunqing <wangjunqing@xxxxxxxxxx>
| diff --git a/hw/audio/adlib.c b/hw/audio/adlib.c
| index 97b876c..fb4a29c 100644
| --- a/hw/audio/adlib.c
| +++ b/hw/audio/adlib.c
| @@ -311,6 +311,7 @@ static void adlib_class_initfn (ObjectClass *klass, void *data)
| set_bit(DEVICE_CATEGORY_SOUND, dc->categories);
| dc->desc = ADLIB_DESC;
| dc->props = adlib_properties;
| + dc->deprecation_reason = "insecure, buffer overflow in opl2 emulation";
| }
|
| static const TypeInfo adlib_info = {
| diff --git a/qemu-deprecated.texi b/qemu-deprecated.texi
| index 11b870c..7951a4f 100644
| --- a/qemu-deprecated.texi
| +++ b/qemu-deprecated.texi
| @@ -116,6 +116,10 @@ The @option{[hub_id name]} parameter tuple of the 'hostfwd_add' and
| The ``ivshmem'' device type is replaced by either the ``ivshmem-plain''
| or ``ivshmem-doorbell`` device types.
|
| +@subsection adlib (since 3.1)
| +
| +Has known buffer overflow.
| +
| @section System emulator machines
|
| @subsection pc-0.10 and pc-0.11 (since 3.0)
Okay.
Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
