On 11/15/18 3:35 PM, Peter Maydell wrote: > An off-by-one error in a switch case in onenand_read() allowed > a misbehaving guest to read off the end of a block of memory. > > NB: the onenand device is used only by the "n800" and "n810" > machines, which are usable only with TCG, not KVM, so this is > not a security issue. > > Reported-by: Thomas Huth <th...@redhat.com> > Suggested-by: Richard Henderson <richard.hender...@linaro.org> > Signed-off-by: Peter Maydell <peter.mayd...@linaro.org> > --- > I tweaked RTH's suggested fix to use an 0xbffe offset so > we don't overrun on an access to 0xbfff either. > > hw/block/onenand.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-)
Reviewed-by: Richard Henderson <richard.hender...@linaro.org> r~
