On Mon, 12 Aug 2019 at 13:51, Philippe Mathieu-Daudé <phi...@redhat.com> wrote: > > On 8/12/19 2:45 PM, Paolo Bonzini wrote: > > On 12/08/19 08:52, Gerd Hoffmann wrote: > >> Just found while investigating > >> https://bugzilla.redhat.com/show_bug.cgi?id=1707118 > >> > >> Found PCIe extended config space filled with random crap due to > >> allocation being too small (conventional pci config space only). > >> > > Can you amend this information to the commit description? > > <... > > >> PCI(e) config space is guest writable. Writes are limited by > >> write mask (which probably is also filled with random stuff), > > > > Yes, it is also allocated with 256 bytes only. > > > >> so the guest can only flip enabled bits. But I suspect it > >> still might be exploitable, so rather serious because it might > >> be a host escape for the guest. On the other hand the device > >> is probably not yet in widespread use. > > ...>
I can add to the commit this paragraph of the cover letter, and I think also the 'mitigation' note might as well go in. I've also put the cc:stable into the commit message. Updated commit, ready to apply to master if we're OK with it: https://git.linaro.org/people/peter.maydell/qemu-arm.git/commit/?h=staging&id=c075b5f318a8be628ab8edf93be33f5a93a4aacd thanks -- PMM