From 60e543f5ce46d4a90a95963b3bab5c7d13a2aaa9 Mon Sep 17 00:00:00 2001 From: Qiang Liu Date: Thu, 24 Jun 2021 10:44:47 +0800 Subject: hw/audio/sb16: Restrict I/O sampling rate range for command 41h/42h MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The I/O sampling rate range is enforced to 5000 to 45000HZ according to commit a2cd86a9. Setting I/O sampling rate with command 41h/42h, a guest user can break this assumption and trigger an assertion in audio_calloc via command 0xd4. This patch restricts the I/O sampling rate range for command 41h/42h. Fixes: 85571bc7415 ("audio merge (malc)") Signed-off-by: Qiang Liu Message-Id: <1624502687-5214-1-git-send-email-cyruscyliu@gmail.com> Reviewed-by: Philippe Mathieu-Daudé Signed-off-by: Gerd Hoffmann --- tests/qtest/fuzz-sb16-test.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) (limited to 'tests/qtest/fuzz-sb16-test.c') diff --git a/tests/qtest/fuzz-sb16-test.c b/tests/qtest/fuzz-sb16-test.c index 51030cd7dc..f47a8bcdbd 100644 --- a/tests/qtest/fuzz-sb16-test.c +++ b/tests/qtest/fuzz-sb16-test.c @@ -37,6 +37,22 @@ static void test_fuzz_sb16_0x91(void) qtest_quit(s); } +/* + * This used to trigger the assert in audio_calloc + * through command 0xd4 + */ +static void test_fuzz_sb16_0xd4(void) +{ + QTestState *s = qtest_init("-M pc -display none " + "-device sb16,audiodev=none " + "-audiodev id=none,driver=none"); + qtest_outb(s, 0x22c, 0x41); + qtest_outb(s, 0x22c, 0x00); + qtest_outb(s, 0x22c, 0x14); + qtest_outb(s, 0x22c, 0xd4); + qtest_quit(s); +} + int main(int argc, char **argv) { const char *arch = qtest_get_arch(); @@ -46,6 +62,7 @@ int main(int argc, char **argv) if (strcmp(arch, "i386") == 0) { qtest_add_func("fuzz/test_fuzz_sb16/1c", test_fuzz_sb16_0x1c); qtest_add_func("fuzz/test_fuzz_sb16/91", test_fuzz_sb16_0x91); + qtest_add_func("fuzz/test_fuzz_sb16/d4", test_fuzz_sb16_0xd4); } return g_test_run(); -- cgit v1.2.3