Just found while investigating https://bugzilla.redhat.com/show_bug.cgi?id=1707118
Found PCIe extended config space filled with random crap due to allocation being too small (conventional pci config space only). PCI(e) config space is guest writable. Writes are limited by write mask (which probably is also filled with random stuff), so the guest can only flip enabled bits. But I suspect it still might be exploitable, so rather serious because it might be a host escape for the guest. On the other hand the device is probably not yet in widespread use. Migitation: use "-device bochs-display" as conventional pci device only. Note: qemu 4.1 release is planned for tomorrow. Gerd Hoffmann (1): display/bochs: fix pcie support hw/display/bochs-display.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) -- 2.18.1
