On Thu, Oct 25, 2018 at 04:26:16PM +0530, P J P wrote:
> +-- On Thu, 25 Oct 2018, Gerd Hoffmann wrote --+
> | We have a lovely, guest-triggerable buffer overflow in opl2 emulation.
> |
> | Reproducer:
> | outw(0xff60, 0x220);
> | outw(0x1020, 0x220);
> | outw(0xffb0, 0x220);
> | Result:
> | Will overflow FM_OPL->AR_TABLE[] (see hw/audio/fmopl.[ch])
>
> + Reported-by: Wangjunqing <wangjunqing@xxxxxxxxxx>
So you have a CVE number for this ?
If so, it should be referenced in the commit message too, even if
we can't fix the problem.
> | diff --git a/hw/audio/adlib.c b/hw/audio/adlib.c
> | index 97b876c..fb4a29c 100644
> | --- a/hw/audio/adlib.c
> | +++ b/hw/audio/adlib.c
> | @@ -311,6 +311,7 @@ static void adlib_class_initfn (ObjectClass *klass, void *data)
> | set_bit(DEVICE_CATEGORY_SOUND, dc->categories);
> | dc->desc = ADLIB_DESC;
> | dc->props = adlib_properties;
> | + dc->deprecation_reason = "insecure, buffer overflow in opl2 emulation";
> | }
> |
> | static const TypeInfo adlib_info = {
> | diff --git a/qemu-deprecated.texi b/qemu-deprecated.texi
> | index 11b870c..7951a4f 100644
> | --- a/qemu-deprecated.texi
> | +++ b/qemu-deprecated.texi
> | @@ -116,6 +116,10 @@ The @option{[hub_id name]} parameter tuple of the 'hostfwd_add' and
> | The ``ivshmem'' device type is replaced by either the ``ivshmem-plain''
> | or ``ivshmem-doorbell`` device types.
> |
> | +@subsection adlib (since 3.1)
> | +
> | +Has known buffer overflow.
It would be good to give a recommendation to a better choice to
replace its usage
> | +
> | @section System emulator machines
> |
> | @subsection pc-0.10 and pc-0.11 (since 3.0)
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
