mirror of
https://gitlab.com/qemu-project/qemu
synced 2024-09-20 03:01:32 +00:00
87ad860c62
Because the CMB BAR has a min_access_size of 2, if you read the last byte it will try to memcpy *2* bytes from n->cmbuf, causing an off-by-one error. This is CVE-2018-16847. Another way to fix this might be to register the CMB as a RAM memory region, which would also be more efficient. However, that might be a change for big-endian machines; I didn't think this through and I don't know how real hardware works. Add a basic testcase for the CMB in case somebody does this change later on. Cc: Keith Busch <keith.busch@intel.com> Cc: qemu-block@nongnu.org Reported-by: Li Qiang <liq3ea@gmail.com> Reviewed-by: Li Qiang <liq3ea@gmail.com> Tested-by: Li Qiang <liq3ea@gmail.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> |
||
|---|---|---|
| .. | ||
| dataplane | ||
| block.c | ||
| cdrom.c | ||
| ecc.c | ||
| fdc.c | ||
| hd-geometry.c | ||
| m25p80.c | ||
| Makefile.objs | ||
| nand.c | ||
| nvme.c | ||
| nvme.h | ||
| onenand.c | ||
| pflash_cfi01.c | ||
| pflash_cfi02.c | ||
| tc58128.c | ||
| trace-events | ||
| vhost-user-blk.c | ||
| virtio-blk.c | ||
| xen_blkif.h | ||
| xen_disk.c | ||