On Thu, Oct 25, 2018 at 04:26:16PM +0530, P J P wrote:
+-- On Thu, 25 Oct 2018, Gerd Hoffmann wrote --+ | We have a lovely, guest-triggerable buffer overflow in opl2 emulation. | | Reproducer: | outw(0xff60, 0x220); | outw(0x1020, 0x220); | outw(0xffb0, 0x220); | Result: | Will overflow FM_OPL->AR_TABLE[] (see hw/audio/fmopl.[ch])
+ Reported-by: Wangjunqing <wangjunqing@huawei.com>
So you have a CVE number for this ? If so, it should be referenced in the commit message too, even if we can't fix the problem.
| diff --git a/hw/audio/adlib.c b/hw/audio/adlib.c | index 97b876c..fb4a29c 100644 | --- a/hw/audio/adlib.c | +++ b/hw/audio/adlib.c | @@ -311,6 +311,7 @@ static void adlib_class_initfn (ObjectClass *klass, void *data) | set_bit(DEVICE_CATEGORY_SOUND, dc->categories); | dc->desc = ADLIB_DESC; | dc->props = adlib_properties; | + dc->deprecation_reason = "insecure, buffer overflow in opl2 emulation"; | } | | static const TypeInfo adlib_info = { | diff --git a/qemu-deprecated.texi b/qemu-deprecated.texi | index 11b870c..7951a4f 100644 | --- a/qemu-deprecated.texi | +++ b/qemu-deprecated.texi | @@ -116,6 +116,10 @@ The @option{[hub_id name]} parameter tuple of the 'hostfwd_add' and | The ``ivshmem'' device type is replaced by either the ``ivshmem-plain'' | or ``ivshmem-doorbell`` device types. | | +@subsection adlib (since 3.1) | + | +Has known buffer overflow.
It would be good to give a recommendation to a better choice to replace its usage
| + | @section System emulator machines | | @subsection pc-0.10 and pc-0.11 (since 3.0)
Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|