Re: [libvirt] [PATCH 2/3] adlib: mark as insecure and deprecated.

+-- On Thu, 25 Oct 2018, Gerd Hoffmann wrote --+ | We have a lovely, guest-triggerable buffer overflow in opl2 emulation. | | Reproducer: | outw(0xff60, 0x220); | outw(0x1020, 0x220); | outw(0xffb0, 0x220); | Result: | Will overflow FM_OPL->AR_TABLE[] (see hw/audio/fmopl.[ch]) + Reported-by: Wangjunqing <wangjunqing(a)huawei.com&gt; | diff --git a/hw/audio/adlib.c b/hw/audio/adlib.c | index 97b876c..fb4a29c 100644 | --- a/hw/audio/adlib.c | +++ b/hw/audio/adlib.c | @@ -311,6 +311,7 @@ static void adlib_class_initfn (ObjectClass *klass, void *data) | set_bit(DEVICE_CATEGORY_SOUND, dc->categories); | dc->desc = ADLIB_DESC; | dc->props = adlib_properties; | + dc->deprecation_reason = "insecure, buffer overflow in opl2 emulation"; | } | | static const TypeInfo adlib_info = { | diff --git a/qemu-deprecated.texi b/qemu-deprecated.texi | index 11b870c..7951a4f 100644 | --- a/qemu-deprecated.texi | +++ b/qemu-deprecated.texi | @@ -116,6 +116,10 @@ The @option{[hub_id name]} parameter tuple of the 'hostfwd_add' and | The ``ivshmem'' device type is replaced by either the ``ivshmem-plain'' | or ``ivshmem-doorbell`` device types. | | +@subsection adlib (since 3.1) | + | +Has known buffer overflow. | + | @section System emulator machines | | @subsection pc-0.10 and pc-0.11 (since 3.0) Okay. Thank you. -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F