Re: [Qemu-devel] [security bug]code_gen_buffer can be overflowed

All of lore.kernel.org
 help / color / mirror / Atom feed

From: TeLeMan <geleman@gmail.com>
To: qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] [security bug]code_gen_buffer can be overflowed
Date: Fri, 30 Nov 2007 17:36:13 -0800 (PST)	[thread overview]
Message-ID: <14101223.post@talk.nabble.com> (raw)
In-Reply-To: <f43fc5580711300804k47409157yd795727a659533dd@mail.gmail.com>



Blue Swirl-2 wrote:
> 
> On 11/28/07, TeLeMan <geleman@gmail.com> wrote:
>>
>> dyngen_code() can generate more than CODE_GEN_MAX_SIZE bytes,
>> code_gen_buffer
>> can be overflowed. I hope this security bug will be fixed soon.
> 
> Thank you for the analysis. It's true that cpu_gen_code does not pass
> CODE_GEN_MAX_SIZE (65536) on to gen_intermediate_code and that should
> be fixed. But gen_intermediate_code can only add OPC_MAX_SIZE (512 -
> 32) instructions more, so there is no security bug.
> 
> 

This POC is a windows exe and was tested on QEMU v0.9.0 (Guest OS is Windows
XP SP2).
This overflow will overwrite the TranslationBlock buffer.

http://www.nabble.com/file/p14101223/qemu-dos.rar qemu-dos.rar 
-- 
View this message in context: http://www.nabble.com/-security-bug-code_gen_buffer-can-be-overflowed-tf4886083.html#a14101223
Sent from the QEMU - Dev mailing list archive at Nabble.com.

next prev parent reply	other threads:[~2007-12-01  1:36 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-11-28  3:37 [Qemu-devel] [security bug]code_gen_buffer can be overflowed TeLeMan
2007-11-30 16:04 ` Blue Swirl
2007-12-01  1:36   ` TeLeMan [this message]
2007-12-01 17:51     ` Blue Swirl
2007-12-09  8:57       ` Blue Swirl

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=14101223.post@talk.nabble.com \
    --to=geleman@gmail.com \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.