Package: mednafen Version: 0.9.41+dfsg-2+b1 Severity: serious Tags: patch security Justification: security
Dear Maintainer, (Note for the security team: this has been published in the 1.22.2 upstream release. I’m not aware of any exploit for this issue. This is qualified as a potential security issue by upstream, hence the “serious” severity rather than grave. The patch applies to both the Stretch and Buster versions.) Upstream fixed a potential unchecked memory access in the Lynx emulator in the latest release of Mednafen; the attached patch fixes it. Regards, Stephen -- System Information: Debian Release: 9.9 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable'), (100, 'unstable-debug'), (100, 'testing-debug'), (100, 'unstable'), (100, 'testing'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-9-amd64 (SMP w/8 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages mednafen depends on: ii libasound2 1.1.3-5 ii libc6 2.24-11+deb9u4 ii libgcc1 1:6.3.0-18+deb9u1 ii libjack-jackd2-0 [libjack-0.125] 1.9.10+20150825git1ed50c92~dfsg-5 ii libmpcdec6 2:0.1~r495-1+b1 ii libsdl1.2debian 1.2.15+dfsg1-4 ii libsndfile1 1.0.27-3 ii libstdc++6 6.3.0-18+deb9u1 ii libtrio2 1.16+dfsg1-3+b2 ii libvorbisidec1 1.0.2+svn18153-1+deb9u1 ii zlib1g 1:1.2.8.dfsg-5 Versions of packages mednafen recommends: ii mednaffe 0.8.4-1+b1 mednafen suggests no packages. -- no debconf information
diff -rupN 1.22.1/src/lynx/ram.h 1.22.2/src/lynx/ram.h --- 1.22.1/src/lynx/ram.h 2019-01-27 22:52:37.000000000 -0800 +++ 1.22.2/src/lynx/ram.h 2019-04-23 14:54:58.000000000 -0700 @@ -65,8 +65,8 @@ class CRam : public CLynxBase void Reset(void) MDFN_COLD; - void Poke(uint32 addr, uint8 data){ mRamData[addr]=data;}; - uint8 Peek(uint32 addr){ return(mRamData[addr]);}; + void Poke(uint32 addr, uint8 data){ mRamData[(uint16)addr]=data;}; + uint8 Peek(uint32 addr){ return(mRamData[(uint16)addr]);}; uint32 ReadCycle(void) {return 5;}; uint32 WriteCycle(void) {return 5;}; uint32 ObjectSize(void) {return RAM_SIZE;}; diff -rupN 1.22.1/src/lynx/susie.cpp 1.22.2/src/lynx/susie.cpp --- 1.22.1/src/lynx/susie.cpp 2019-01-27 22:52:37.000000000 -0800 +++ 1.22.2/src/lynx/susie.cpp 2019-04-23 14:54:58.000000000 -0700 @@ -58,13 +58,9 @@ // wa can access this directly without the hassle of // going through the system object, much faster // -//#define RAM_PEEK(m) (mSystem.Peek_RAM((m))) -//#define RAM_POKE(m1,m2) (mSystem.Poke_RAM((m1),(m2))) -//#define RAM_PEEKW(m) (mSystem.PeekW_RAM((m))) - -#define RAM_PEEK(m) (mRamPointer[(m)]) -#define RAM_PEEKW(m) (mRamPointer[(m)]+(mRamPointer[(m)+1]<<8)) -#define RAM_POKE(m1,m2) {mRamPointer[(m1)]=(m2);} +#define RAM_PEEK(m) (mRamPointer[(uint16)(m)]) +#define RAM_PEEKW(m) (mRamPointer[(uint16)(m)]+(mRamPointer[(uint16)((m)+1)]<<8)) +#define RAM_POKE(m1,m2) {mRamPointer[(uint16)(m1)]=(m2);} uint32 cycles_used=0; @@ -838,7 +834,7 @@ uint32 CSusie::PaintSprites(void) INLINE void CSusie::WritePixel(uint32 hoff,uint32 pixel) { - uint32 scr_addr=mLineBaseAddress+(hoff/2); + const uint16 scr_addr=mLineBaseAddress+(hoff/2); uint8 dest=RAM_PEEK(scr_addr); if(!(hoff&0x01)) @@ -861,7 +857,7 @@ INLINE void CSusie::WritePixel(uint32 ho INLINE uint32 CSusie::ReadPixel(uint32 hoff) { - uint32 scr_addr=mLineBaseAddress+(hoff/2); + const uint16 scr_addr=mLineBaseAddress+(hoff/2); uint32 data=RAM_PEEK(scr_addr); if(!(hoff&0x01)) @@ -883,7 +879,7 @@ INLINE uint32 CSusie::ReadPixel(uint32 h INLINE void CSusie::WriteCollision(uint32 hoff,uint32 pixel) { - uint32 col_addr=mLineCollisionAddress+(hoff/2); + const uint16 col_addr=mLineCollisionAddress+(hoff/2); uint8 dest=RAM_PEEK(col_addr); if(!(hoff&0x01)) @@ -906,7 +902,7 @@ INLINE void CSusie::WriteCollision(uint3 INLINE uint32 CSusie::ReadCollision(uint32 hoff) { - uint32 col_addr=mLineCollisionAddress+(hoff/2); + const uint16 col_addr=mLineCollisionAddress+(hoff/2); uint32 data=RAM_PEEK(col_addr); if(!(hoff&0x01)) diff -rupN 1.22.1/src/lynx/sysbase.h 1.22.2/src/lynx/sysbase.h --- 1.22.1/src/lynx/sysbase.h 2019-01-27 22:52:37.000000000 -0800 +++ 1.22.2/src/lynx/sysbase.h 2019-04-23 14:54:58.000000000 -0700 @@ -61,11 +61,6 @@ class CSystemBase virtual void PokeW_CPU(uint32 addr,uint16 data)=0; virtual uint16 PeekW_CPU(uint32 addr)=0; - virtual void Poke_RAM(uint32 addr,uint8 data)=0; - virtual uint8 Peek_RAM(uint32 addr)=0; - virtual void PokeW_RAM(uint32 addr,uint16 data)=0; - virtual uint16 PeekW_RAM(uint32 addr)=0; - virtual uint8* GetRamPointer(void)=0; }; diff -rupN 1.22.1/src/lynx/system.h 1.22.2/src/lynx/system.h --- 1.22.1/src/lynx/system.h 2019-01-27 22:52:37.000000000 -0800 +++ 1.22.2/src/lynx/system.h 2019-04-23 14:54:58.000000000 -0700 @@ -158,14 +158,6 @@ class CSystem : public CSystemBase inline void PokeW_CPU(uint32 addr,uint16 data) { mMemoryHandlers[addr]->Poke(addr,data&0xff);addr++;mMemoryHandlers[addr]->Poke(addr,data>>8);}; inline uint16 PeekW_CPU(uint32 addr) {return ((mMemoryHandlers[addr]->Peek(addr))+(mMemoryHandlers[addr]->Peek(addr+1)<<8));}; - // - // RAM - // - inline void Poke_RAM(uint32 addr, uint8 data) { mRam->Poke(addr,data);}; - inline uint8 Peek_RAM(uint32 addr) { return mRam->Peek(addr);}; - inline void PokeW_RAM(uint32 addr,uint16 data) { mRam->Poke(addr,data&0xff);addr++;mRam->Poke(addr,data>>8);}; - inline uint16 PeekW_RAM(uint32 addr) {return ((mRam->Peek(addr))+(mRam->Peek(addr+1)<<8));}; - // High level cart access for debug etc inline void Poke_CART(uint32 addr, uint8 data) {mCart->Poke(addr,data);};