From 193ff9540a78b0ed717071bce77e918fc1704482 Mon Sep 17 00:00:00 2001 From: Zheyu Ma Date: Sun, 30 Jun 2024 15:04:26 +0200 Subject: [PATCH] hw/display/tcx: Fix out-of-bounds access in tcx_blit_writel This patch addresses a potential out-of-bounds memory access issue in the tcx_blit_writel function. It adds bounds checking to ensure that memory accesses do not exceed the allocated VRAM size. If an out-of-bounds access is detected, an error is logged using qemu_log_mask. ASAN log: ==2960379==ERROR: AddressSanitizer: SEGV on unknown address 0x7f524752fd01 (pc 0x7f525c2c4881 bp 0x7ffdaf87bfd0 sp 0x7ffdaf87b788 T0) ==2960379==The signal is caused by a READ memory access. #0 0x7f525c2c4881 in memcpy string/../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:222 #1 0x55aa782bd5b1 in __asan_memcpy llvm/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3 #2 0x55aa7854dedd in tcx_blit_writel hw/display/tcx.c:590:13 Reproducer: cat << EOF | qemu-system-sparc -display none \ -machine accel=qtest, -m 512M -machine LX -m 256 -qtest stdio writel 0x562e98c4 0x3d92fd01 EOF Signed-off-by: Zheyu Ma Message-Id: <20240630130426.2966539-1-zheyuma97@gmail.com> --- hw/display/tcx.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/hw/display/tcx.c b/hw/display/tcx.c index 99507e763886..af43bea7f2dd 100644 --- a/hw/display/tcx.c +++ b/hw/display/tcx.c @@ -33,6 +33,7 @@ #include "migration/vmstate.h" #include "qemu/error-report.h" #include "qemu/module.h" +#include "qemu/log.h" #include "qom/object.h" #define TCX_ROM_FILE "QEMU,tcx.bin" @@ -577,6 +578,14 @@ static void tcx_blit_writel(void *opaque, hwaddr addr, addr = (addr >> 3) & 0xfffff; adsr = val & 0xffffff; len = ((val >> 24) & 0x1f) + 1; + + if (addr + len > s->vram_size || adsr + len > s->vram_size) { + qemu_log_mask(LOG_GUEST_ERROR, + "%s: VRAM access out of bounds. addr: 0x%lx, adsr: 0x%x, len: %u\n", + __func__, addr, adsr, len); + return; + } + if (adsr == 0xffffff) { memset(&s->vram[addr], s->tmpblit, len); if (s->depth == 24) {