[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH v3] hw/display: refine upper limit for offset value in assert che
|
From: |
gerben |
|
Subject: |
[PATCH v3] hw/display: refine upper limit for offset value in assert check |
|
Date: |
Thu, 12 Dec 2024 23:40:29 +0300 |
From: Denis Rastyogin <gerben@altlinux.org>
Accessing an element of the s->core_registers array,
which has a size of 236 (0x3AC), may lead to a buffer overflow
if the 'offset' index exceeds the valid range, potentially
reaching values up to 5139 (0x504C >> 2). The bounds check
has been extended to DP_CORE_REG_ARRAY_SIZE (0x3B0 >> 2)
to ensure the offset remains within the valid range before writing data.
The memory region is registered to match the size of
the core_registers array. This ensures that the guest cannot issue
an out-of-bounds write. Therefore, using `assert` remains appropriate
to catch internal violations.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Reported-by: David Meliksetyan <d.meliksetyan@fobos-nt.ru>
Signed-off-by: Denis Rastyogin <gerben@altlinux.org>
---
hw/display/xlnx_dp.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/hw/display/xlnx_dp.c b/hw/display/xlnx_dp.c
index 6ab2335499..3f1f5d81bd 100644
--- a/hw/display/xlnx_dp.c
+++ b/hw/display/xlnx_dp.c
@@ -896,7 +896,11 @@ static void xlnx_dp_write(void *opaque, hwaddr offset,
uint64_t value,
xlnx_dp_update_irq(s);
break;
default:
- assert(offset <= (0x504C >> 2));
+ /*
+ * Check to ensure the offset is within the bounds of
+ * the core_registers[] array.
+ */
+ assert(offset < DP_CORE_REG_ARRAY_SIZE);
s->core_registers[offset] = value;
break;
}
--
2.42.2
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [PATCH v3] hw/display: refine upper limit for offset value in assert check,
gerben <=