On 8/12/19 2:45 PM, Paolo Bonzini wrote: > On 12/08/19 08:52, Gerd Hoffmann wrote: >> Just found while investigating >> https://bugzilla.redhat.com/show_bug.cgi?id=1707118 >> >> Found PCIe extended config space filled with random crap due to >> allocation being too small (conventional pci config space only). >>
Can you amend this information to the commit description? <... >> PCI(e) config space is guest writable. Writes are limited by >> write mask (which probably is also filled with random stuff), > > Yes, it is also allocated with 256 bytes only. > >> so the guest can only flip enabled bits. But I suspect it >> still might be exploitable, so rather serious because it might >> be a host escape for the guest. On the other hand the device >> is probably not yet in widespread use. ...> >> Migitation: use "-device bochs-display" as conventional pci >> device only. >> >> Note: qemu 4.1 release is planned for tomorrow. >> >> Gerd Hoffmann (1): >> display/bochs: fix pcie support >> >> hw/display/bochs-display.c | 7 ++++++- >> 1 file changed, 6 insertions(+), 1 deletion(-) >> > > Looks good to me, and no other device seems to have the same issue. We > could add an assertion that pci_config_size has not increased after > calling pc->realize. > > Reviewed-by: Paolo Bonzini <pbonz...@redhat.com> > > Paolo >