On 2018-10-25 09:52, Gerd Hoffmann wrote: > We have a lovely, guest-triggerable buffer overflow in opl2 emulation. > > Reproducer: > outw(0xff60, 0x220); > outw(0x1020, 0x220); > outw(0xffb0, 0x220); > Result: > Will overflow FM_OPL->AR_TABLE[] (see hw/audio/fmopl.[ch]) > > The specs google finds (http://www.symphoniae.com/Yamaha/YSC/YM3812.pdf) > are rather sparse, possibly incomplete (looks like scanned fax with a > scrambled page at the end) and not really helpful in identifying which > of the register writes sets some illegal value. > > So, go tag the device as deprecated with a warning messge, to notify > users and schedule it for removal according to our deprecation policy. > > Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx> > --- > hw/audio/adlib.c | 1 + > qemu-deprecated.texi | 4 ++++ > 2 files changed, 5 insertions(+) > > diff --git a/hw/audio/adlib.c b/hw/audio/adlib.c > index 97b876c..fb4a29c 100644 > --- a/hw/audio/adlib.c > +++ b/hw/audio/adlib.c > @@ -311,6 +311,7 @@ static void adlib_class_initfn (ObjectClass *klass, void *data) > set_bit(DEVICE_CATEGORY_SOUND, dc->categories); > dc->desc = ADLIB_DESC; > dc->props = adlib_properties; > + dc->deprecation_reason = "insecure, buffer overflow in opl2 emulation"; > } > > static const TypeInfo adlib_info = { > diff --git a/qemu-deprecated.texi b/qemu-deprecated.texi > index 11b870c..7951a4f 100644 > --- a/qemu-deprecated.texi > +++ b/qemu-deprecated.texi > @@ -116,6 +116,10 @@ The @option{[hub_id name]} parameter tuple of the 'hostfwd_add' and > The ``ivshmem'' device type is replaced by either the ``ivshmem-plain'' > or ``ivshmem-doorbell`` device types. > > +@subsection adlib (since 3.1) > + > +Has known buffer overflow. > + > @section System emulator machines > > @subsection pc-0.10 and pc-0.11 (since 3.0) > Any chance you could maybe at least add an assert() to the affected code so that it crashes instead of silently overflowing the buffer? Anyway, with the "messge" typo fixed: Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx> -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
