From: Prasad J Pandit <p...@fedoraproject.org> While accessing VGA registers via ati_mm_read/write routines, a guest may set 's->regs.mm_index' such that it leads to infinite recursion. Check mm_index value to avoid it.
Reported-by: Ren Ding <rd...@gatech.edu> Reported-by: Hanqing Zhao <hanq...@gatech.edu> Reported-by: Yi Ren <c4t...@gmail.com> Signed-off-by: Prasad J Pandit <p...@fedoraproject.org> --- hw/display/ati.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) Update v2: add check before recursive call -> https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00781.html diff --git a/hw/display/ati.c b/hw/display/ati.c index 065f197678..bda4a2d816 100644 --- a/hw/display/ati.c +++ b/hw/display/ati.c @@ -285,7 +285,7 @@ static uint64_t ati_mm_read(void *opaque, hwaddr addr, unsigned int size) if (idx <= s->vga.vram_size - size) { val = ldn_le_p(s->vga.vram_ptr + idx, size); } - } else { + } else if (s->regs.mm_index > MM_DATA + 3) { val = ati_mm_read(s, s->regs.mm_index + addr - MM_DATA, size); } break; @@ -520,7 +520,7 @@ static void ati_mm_write(void *opaque, hwaddr addr, if (idx <= s->vga.vram_size - size) { stn_le_p(s->vga.vram_ptr + idx, size, data); } - } else { + } else if (s->regs.mm_index > MM_DATA + 3) { ati_mm_write(s, s->regs.mm_index + addr - MM_DATA, data, size); } break; -- 2.26.2