qemu/hw
Prasad J Pandit a98610c429 ati-vga: check mm_index before recursive call (CVE-2020-13800)
While accessing VGA registers via ati_mm_read/write routines,
a guest may set 's->regs.mm_index' such that it leads to infinite
recursion. Check mm_index value to avoid such recursion. Log an
error message for wrong values.

Reported-by: Ren Ding <rding@gatech.edu>
Reported-by: Hanqing Zhao <hanqing@gatech.edu>
Reported-by: Yi Ren <c4tren@gmail.com>
Message-id: 20200604090830.33885-1-ppandit@redhat.com
Suggested-by: BALATON Zoltan <balaton@eik.bme.hu>
Suggested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2020-06-05 09:14:40 +02:00
..
9pfs xen/9pfs: increase max ring order to 9 2020-05-25 11:45:40 +02:00
acpi qdev: Unrealize must not fail 2020-05-15 07:08:14 +02:00
adc
alpha hw/ide: Do ide_drive_get() within pci_ide_create_devs() 2020-03-17 12:22:36 -04:00
arm arm/sabrelite: Consistently use &error_fatal in sabrelite_init() 2020-05-27 07:45:45 +02:00
audio hw/audio/gus: Use AUDIO_HOST_ENDIANNESS definition from 'audio/audio.h' 2020-05-25 11:30:03 +02:00
block hw/block/pflash: Check return value of blk_pwrite() 2020-05-22 19:38:14 +02:00
char hw/char/xilinx_uartlite: Replace hw_error() by qemu_log_mask() 2020-05-21 22:05:27 +01:00
core various: Remove unnecessary OBJECT() cast 2020-05-15 07:08:14 +02:00
cpu qom: Drop parameter @errp of object_property_add() & friends 2020-05-15 07:07:58 +02:00
cris hw: Make MachineClass::is_default a boolean type 2020-02-28 14:57:19 -05:00
display ati-vga: check mm_index before recursive call (CVE-2020-13800) 2020-06-05 09:14:40 +02:00
dma hw/arm/pxa2xx: Replace hw_error() by qemu_log_mask() 2020-05-21 22:05:27 +01:00
gpio ARM: PL061: Introduce N_GPIOS 2020-05-21 22:05:27 +01:00
hppa hw/ide: Remove unneeded inclusion of hw/ide.h 2020-03-17 12:22:36 -04:00
hyperv qom: Drop parameter @errp of object_property_add() & friends 2020-05-15 07:07:58 +02:00
i2c hw: Remove unnecessary DEVICE() cast 2020-05-15 07:08:52 +02:00
i386 hw: Use QEMU_IS_ALIGNED() on parallel flash block size 2020-05-18 19:05:25 +02:00
ide hw/ide/ahci: Log lost IRQs 2020-05-18 19:05:25 +02:00
input qdev: Unrealize must not fail 2020-05-15 07:08:14 +02:00
intc qdev: Unrealize must not fail 2020-05-15 07:08:14 +02:00
ipack qdev: Unrealize must not fail 2020-05-15 07:08:14 +02:00
ipmi various: Remove unnecessary OBJECT() cast 2020-05-15 07:08:14 +02:00
isa hw/mips/fuloong2e: Fix typo in Fuloong machine name 2020-05-26 13:20:48 +02:00
lm32 hw: Make MachineClass::is_default a boolean type 2020-02-28 14:57:19 -05:00
m68k hw/m68k/mcf52xx: Replace hw_error() by qemu_log_mask() 2020-05-30 09:17:46 +02:00
mem nvdimm: Plug memory leak in uuid property setter 2020-05-27 07:44:59 +02:00
microblaze various: Remove unnecessary OBJECT() cast 2020-05-15 07:08:14 +02:00
mips hw/mips: fuloong2e: Set preferred page size to 16KB 2020-06-01 13:28:21 +02:00
misc hw: Move i.MX watchdog driver to hw/watchdog 2020-05-21 20:00:18 +01:00
moxie hw: Make MachineClass::is_default a boolean type 2020-02-28 14:57:19 -05:00
net hw/m68k/mcf52xx: Replace hw_error() by qemu_log_mask() 2020-05-30 09:17:46 +02:00
nios2 qom: Drop parameter @errp of object_property_add() & friends 2020-05-15 07:07:58 +02:00
nubus hw: Remove unnecessary DEVICE() cast 2020-05-15 07:08:52 +02:00
nvram hw/nvram/mac_nvram: Convert debug printf()s to trace events 2020-05-27 15:29:36 +10:00
openrisc hw: Make MachineClass::is_default a boolean type 2020-02-28 14:57:19 -05:00
pci qdev: Unrealize must not fail 2020-05-15 07:08:14 +02:00
pci-bridge hw/pci-bridge/dec: Remove dead debug code 2020-05-27 15:29:36 +10:00
pci-host hw/mips/fuloong2e: Fix typo in Fuloong machine name 2020-05-26 13:20:48 +02:00
pcmcia qom: Drop parameter @errp of object_property_add() & friends 2020-05-15 07:07:58 +02:00
ppc ppc/spapr: Add hotremovable flag on DIMM LMBs on drmem_v2 2020-05-27 15:29:36 +10:00
rdma lockable: Replace locks with lock guard macros 2020-05-04 16:07:43 +01:00
riscv riscv: Initial commit of OpenTitan machine 2020-06-03 09:11:51 -07:00
rtc qom: Drop parameter @errp of object_property_add() & friends 2020-05-15 07:07:58 +02:00
s390x various: Remove unnecessary OBJECT() cast 2020-05-15 07:08:14 +02:00
scsi qdev: Unrealize must not fail 2020-05-15 07:08:14 +02:00
sd error: Use error_reportf_err() where appropriate 2020-05-27 07:45:30 +02:00
semihosting
sh4 hw: Remove unnecessary DEVICE() cast 2020-05-15 07:08:52 +02:00
smbios
sparc qom: Drop parameter @errp of object_property_add() & friends 2020-05-15 07:07:58 +02:00
sparc64 qom: Drop parameter @errp of object_property_add() & friends 2020-05-15 07:07:58 +02:00
ssi qom: Drop parameter @errp of object_property_add() & friends 2020-05-15 07:07:58 +02:00
timer hw/timer/exynos4210_mct: Replace hw_error() by qemu_log_mask() 2020-05-21 22:05:27 +01:00
tpm hw/tpm: fix usage of bool in tpm-tis.c 2020-05-12 11:47:24 -04:00
tricore hw: Do not initialize MachineClass::is_default to 0 2020-02-28 14:57:19 -05:00
unicore32 hw: Make MachineClass::is_default a boolean type 2020-02-28 14:57:19 -05:00
usb error: Use error_reportf_err() where appropriate 2020-05-27 07:45:30 +02:00
vfio vfio/nvlink: Remove exec permission to avoid SELinux AVCs 2020-05-27 15:29:36 +10:00
virtio qdev: Unrealize must not fail 2020-05-15 07:08:14 +02:00
watchdog hw/watchdog: Implement full i.MX watchdog support 2020-05-21 20:00:18 +01:00
xen hw: Remove unnecessary DEVICE() cast 2020-05-15 07:08:52 +02:00
xenpv
xtensa
Kconfig
Makefile.objs