Hi Anastasia,
On 14/9/23 11:27, Anastasia Belova wrote:
If slot_id >= NUM_MEMSLOTS, buffer overflow is possible.
overflow: unlikely. Do you mean over-read?
Did you found that by code audit? I can't see where this
function get slot_id >= NUM_MEMSLOTS.
This isn't guest triggerable and seems
14.09.2023 12:27, Anastasia Belova wrote:
If slot_id >= NUM_MEMSLOTS, buffer overflow is possible.
So the check should be upper than d->guest_slots[slot_id]
where size of d->guest_slots is NUM_MEMSLOTS.
Fixes: e954ea2873 ("qxl: qxl_add_memslot: remove guest trigerrable panics")
Signed-off-by:
If slot_id >= NUM_MEMSLOTS, buffer overflow is possible.
So the check should be upper than d->guest_slots[slot_id]
where size of d->guest_slots is NUM_MEMSLOTS.
Fixes: e954ea2873 ("qxl: qxl_add_memslot: remove guest trigerrable panics")
Signed-off-by: Anastasia Belova
---
hw/display/qxl.c | 11