Blue Swirl-2 wrote: > > On 11/28/07, TeLeMan <[EMAIL PROTECTED]> wrote: >> >> dyngen_code() can generate more than CODE_GEN_MAX_SIZE bytes, >> code_gen_buffer >> can be overflowed. I hope this security bug will be fixed soon. > > Thank you for the analysis. It's true that cpu_gen_code does not pass > CODE_GEN_MAX_SIZE (65536) on to gen_intermediate_code and that should > be fixed. But gen_intermediate_code can only add OPC_MAX_SIZE (512 - > 32) instructions more, so there is no security bug. > >
This POC is a windows exe and was tested on QEMU v0.9.0 (Guest OS is Windows XP SP2). This overflow will overwrite the TranslationBlock buffer. http://www.nabble.com/file/p14101223/qemu-dos.rar qemu-dos.rar -- View this message in context: http://www.nabble.com/-security-bug-code_gen_buffer-can-be-overflowed-tf4886083.html#a14101223 Sent from the QEMU - Dev mailing list archive at Nabble.com.
