mirror of
https://gitlab.com/qemu-project/qemu
synced 2024-09-20 03:01:32 +00:00
87ad860c62
Because the CMB BAR has a min_access_size of 2, if you read the last byte it will try to memcpy *2* bytes from n->cmbuf, causing an off-by-one error. This is CVE-2018-16847. Another way to fix this might be to register the CMB as a RAM memory region, which would also be more efficient. However, that might be a change for big-endian machines; I didn't think this through and I don't know how real hardware works. Add a basic testcase for the CMB in case somebody does this change later on. Cc: Keith Busch <keith.busch@intel.com> Cc: qemu-block@nongnu.org Reported-by: Li Qiang <liq3ea@gmail.com> Reviewed-by: Li Qiang <liq3ea@gmail.com> Tested-by: Li Qiang <liq3ea@gmail.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> |
||
---|---|---|
.. | ||
dataplane | ||
block.c | ||
cdrom.c | ||
ecc.c | ||
fdc.c | ||
hd-geometry.c | ||
m25p80.c | ||
Makefile.objs | ||
nand.c | ||
nvme.c | ||
nvme.h | ||
onenand.c | ||
pflash_cfi01.c | ||
pflash_cfi02.c | ||
tc58128.c | ||
trace-events | ||
vhost-user-blk.c | ||
virtio-blk.c | ||
xen_blkif.h | ||
xen_disk.c |