Am 20.11.2018 um 19:41 hat Paolo Bonzini geschrieben: > Because the CMB BAR has a min_access_size of 2, if you read the last > byte it will try to memcpy *2* bytes from n->cmbuf, causing an off-by-one > error. This is CVE-2018-16847. > > Another way to fix this might be to register the CMB as a RAM memory > region, which would also be more efficient. However, that might be a > change for big-endian machines; I didn't think this through and I don't > know how real hardware works. Add a basic testcase for the CMB in case > somebody does this change later on. > > Cc: Keith Busch <keith.bu...@intel.com> > Cc: qemu-bl...@nongnu.org > Reported-by: Li Qiang <liq...@gmail.com> > Reviewed-by: Li Qiang <liq...@gmail.com> > Tested-by: Li Qiang <liq...@gmail.com> > Signed-off-by: Paolo Bonzini <pbonz...@redhat.com>
Thanks, applied to the block branch and reverted 5e3c0220d7. Kevin