On 12/08/19 08:52, Gerd Hoffmann wrote: > Just found while investigating > https://bugzilla.redhat.com/show_bug.cgi?id=1707118 > > Found PCIe extended config space filled with random crap due to > allocation being too small (conventional pci config space only). > > PCI(e) config space is guest writable. Writes are limited by > write mask (which probably is also filled with random stuff),
Yes, it is also allocated with 256 bytes only. > so the guest can only flip enabled bits. But I suspect it > still might be exploitable, so rather serious because it might > be a host escape for the guest. On the other hand the device > is probably not yet in widespread use. > > Migitation: use "-device bochs-display" as conventional pci > device only. > > Note: qemu 4.1 release is planned for tomorrow. > > Gerd Hoffmann (1): > display/bochs: fix pcie support > > hw/display/bochs-display.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > Looks good to me, and no other device seems to have the same issue. We could add an assertion that pci_config_size has not increased after calling pc->realize. Reviewed-by: Paolo Bonzini <pbonz...@redhat.com> Paolo
