From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1Iy8M2-00034W-27
	for qemu-devel@nongnu.org; Fri, 30 Nov 2007 11:04:38 -0500
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1Iy8Lx-00033Q-K4
	for qemu-devel@nongnu.org; Fri, 30 Nov 2007 11:04:37 -0500
Received: from [199.232.76.173] (helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1Iy8Lx-00033G-Af
	for qemu-devel@nongnu.org; Fri, 30 Nov 2007 11:04:33 -0500
Received: from hs-out-0708.google.com ([64.233.178.242]
	helo=hs-out-2122.google.com)
	by monty-python.gnu.org with esmtp (Exim 4.60)
	(envelope-from <blauwirbel@gmail.com>) id 1Iy8Lw-0007eT-Gr
	for qemu-devel@nongnu.org; Fri, 30 Nov 2007 11:04:32 -0500
Received: by hs-out-2122.google.com with SMTP id 23so8925hsn
	for <qemu-devel@nongnu.org>; Fri, 30 Nov 2007 08:04:31 -0800 (PST)
Message-ID: <f43fc5580711300804k47409157yd795727a659533dd@mail.gmail.com>
Date: Fri, 30 Nov 2007 18:04:29 +0200
From: "Blue Swirl" <blauwirbel@gmail.com>
Subject: Re: [Qemu-devel] [security bug]code_gen_buffer can be overflowed
In-Reply-To: <13985284.post@talk.nabble.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <13985284.post@talk.nabble.com>
Reply-To: qemu-devel@nongnu.org
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org

On 11/28/07, TeLeMan <geleman@gmail.com> wrote:
>
> dyngen_code() can generate more than CODE_GEN_MAX_SIZE bytes, code_gen_buffer
> can be overflowed. I hope this security bug will be fixed soon.

Thank you for the analysis. It's true that cpu_gen_code does not pass
CODE_GEN_MAX_SIZE (65536) on to gen_intermediate_code and that should
be fixed. But gen_intermediate_code can only add OPC_MAX_SIZE (512 -
32) instructions more, so there is no security bug.