[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [security bug]code_gen_buffer can be overflowed
From: |
TeLeMan |
Subject: |
Re: [Qemu-devel] [security bug]code_gen_buffer can be overflowed |
Date: |
Fri, 30 Nov 2007 17:36:13 -0800 (PST) |
Blue Swirl-2 wrote:
>
> On 11/28/07, TeLeMan <address@hidden> wrote:
>>
>> dyngen_code() can generate more than CODE_GEN_MAX_SIZE bytes,
>> code_gen_buffer
>> can be overflowed. I hope this security bug will be fixed soon.
>
> Thank you for the analysis. It's true that cpu_gen_code does not pass
> CODE_GEN_MAX_SIZE (65536) on to gen_intermediate_code and that should
> be fixed. But gen_intermediate_code can only add OPC_MAX_SIZE (512 -
> 32) instructions more, so there is no security bug.
>
>
This POC is a windows exe and was tested on QEMU v0.9.0 (Guest OS is Windows
XP SP2).
This overflow will overwrite the TranslationBlock buffer.
http://www.nabble.com/file/p14101223/qemu-dos.rar qemu-dos.rar
--
View this message in context:
http://www.nabble.com/-security-bug-code_gen_buffer-can-be-overflowed-tf4886083.html#a14101223
Sent from the QEMU - Dev mailing list archive at Nabble.com.