Am 20.11.2018 um 19:41 hat Paolo Bonzini geschrieben:
> Because the CMB BAR has a min_access_size of 2, if you read the last
> byte it will try to memcpy *2* bytes from n->cmbuf, causing an off-by-one
> error.  This is CVE-2018-16847.
> 
> Another way to fix this might be to register the CMB as a RAM memory
> region, which would also be more efficient.  However, that might be a
> change for big-endian machines; I didn't think this through and I don't
> know how real hardware works.  Add a basic testcase for the CMB in case
> somebody does this change later on.
> 
> Cc: Keith Busch <keith.bu...@intel.com>
> Cc: qemu-bl...@nongnu.org
> Reported-by: Li Qiang <liq...@gmail.com>
> Reviewed-by: Li Qiang <liq...@gmail.com>
> Tested-by: Li Qiang <liq...@gmail.com>
> Signed-off-by: Paolo Bonzini <pbonz...@redhat.com>

Thanks, applied to the block branch and reverted 5e3c0220d7.

Kevin

Reply via email to