From: Christian Schoenebeck <qemu_oss@crudebyte.com>
To: qemu-devel@nongnu.org
Cc: "Volker Rümelin" <vr_qemu@t-online.de>,
"Gerd Hoffmann" <kraxel@redhat.com>,
"Qiang Liu" <cyruscyliu@gmail.com>
Subject: Re: [PATCH] hw/audio/c97: fix abort in audio_calloc()
Date: Sun, 25 Dec 2022 14:58:51 +0100 [thread overview]
Message-ID: <5669170.IcnYlorxoo@silver> (raw)
In-Reply-To: <20221225121357.498040-1-cyruscyliu@gmail.com>
On Sunday, December 25, 2022 1:13:57 PM CET Qiang Liu wrote:
> Section 5.10.2 of the AC97 specification (https://hands.com/~lkcl/ac97_r23.pdf)
> shows the feasibility to support for rates other than 48kHZ. Specifically,
> AC97_PCM_Front_DAC_Rate (reg 2Ch) should be from 8kHZ to 48kHZ.
>
> Before Volker Rümelin fixed it in 12f4abf6a245 and 0cbc8bd4694f, an adversary
> could leverage this to crash QEMU.
>
> Fixes: e5c9a13e2670 ("PCI AC97 emulation by malc.")
> Reported-by: Volker Rümelin <vr_qemu@t-online.de>
> Reported-by: Qiang Liu <cyruscyliu@gmail.com>
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1393
> Signed-off-by: Qiang Liu <cyruscyliu@gmail.com>
> ---
> hw/audio/ac97.c | 11 ++++++++---
> 1 file changed, 8 insertions(+), 3 deletions(-)
>
> diff --git a/hw/audio/ac97.c b/hw/audio/ac97.c
> index be2dd701a4..826411e462 100644
> --- a/hw/audio/ac97.c
> +++ b/hw/audio/ac97.c
> @@ -625,9 +625,14 @@ static void nam_writew(void *opaque, uint32_t addr, uint32_t val)
> break;
> case AC97_PCM_Front_DAC_Rate:
> if (mixer_load(s, AC97_Extended_Audio_Ctrl_Stat) & EACS_VRA) {
> - mixer_store(s, addr, val);
> - dolog("Set front DAC rate to %d\n", val);
> - open_voice(s, PO_INDEX, val);
> + if (val >= 8000 && val <= 48000) {
> + mixer_store(s, addr, val);
> + dolog("Set front DAC rate to %d\n", val);
> + open_voice(s, PO_INDEX, val);
> + } else {
> + dolog("Attempt to set front DAC rate to %d, but valid is"
> + "8-48kHZ\n", val);
> + }
Missing space between "is" and "8-48kHz" and it is "Hz" (lower z). Except of that:
Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
> } else {
> dolog("Attempt to set front DAC rate to %d, but VRA is not set\n",
> val);
>
next prev parent reply other threads:[~2022-12-25 13:59 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-25 12:13 [PATCH] hw/audio/c97: fix abort in audio_calloc() Qiang Liu
2022-12-25 13:58 ` Christian Schoenebeck [this message]
2022-12-25 14:58 ` Bernhard Beschow
2022-12-25 23:16 ` Bernhard Beschow
2022-12-26 18:50 ` Volker Rümelin
2022-12-28 8:15 ` Qiang Liu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5669170.IcnYlorxoo@silver \
--to=qemu_oss@crudebyte.com \
--cc=cyruscyliu@gmail.com \
--cc=kraxel@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=vr_qemu@t-online.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.