f I try to make a "usb_add
host:0fca:0004" the system forever wait something with the CPU at 100%.
Someone have successful experience?
I'll try with a USB bluetooth dongle to bypass the USB interface... i
hope that this will help...
Thanks
Matteo
p.s.: The original qemu patch is un
mknod /dev/kqemu c 250 0
you should chmod it then in order to use it even if not root.
hope that helps,
Mattéo
Le mardi 20 septembre 2005 à 08:01 +0300, Ozan Türkyılmaz a écrit :
> what is the major, minor numbers of kqemu under linux ? i need to know
> so that i can create the /dev/kqemu file.
Le lundi 03 octobre 2005 à 20:29 +0200, Fabrice Bellard a écrit :
> Another point is that I am very tempted to integrate a feature to
> connect several qemu without needing an external program such as VDE. I
> am thinking of it because it would be relatively easy to add to the
> existing user-ne
ermit a consistent
copy possible?
Regards,
Matteo Bertini
Il 21-11-2007 0:02, Fabrice Bellard ha scritto:
> Matteo Bertini wrote:
>> Hello everyone,
>>
>> is there any support for an online image backup? Or some direction to
>> have it?
>>
>> Imagine I have an emulated server. How can I make an online backup of
>
`firefox updated' page.
Yes. My fault. It will be solved.
> 3. and there were a few (I think) `clock went backwards' messages on
> the (guest's) console.
This is qemu's fault. I have no doubts about it.
Thanks for the report, it is much appreciated.
I hope you'
eeSBIE images won't have atapicam in
the kernel as there's no need for it.
While I'm here, I want to thank all the qemu developers for their great
work. Qemu is my main FreeSBIE testing platform and I'm really happy with
it.
Best Regards
--
Matteo Riondato
FreeBSD Commit
know what occurs if the host OS is corrupted (for example
virus or worm present in Windows) to guest OS.
Sorry for my english and many thanks in advance,
Matteo
___
Qemu-devel mailing list
Qemu-devel@nongnu.org
http://lists.nongnu.org/mailman/listinfo/qemu-devel
From: Matteo Croce
Add a '-c' option which does a chroot() just before starting the
emulation. This is useful when the static QEMU user binary can't
be copied into the target root filesystem, e.g. if it's readonly.
Move some code which accesses /proc/sys/vm/mmap_min_ad
On Tue, Dec 8, 2020 at 9:21 AM Laurent Vivier wrote:
>
> Le 08/12/2020 à 01:17, Matteo Croce a écrit :
> > From: Matteo Croce
> >
> > Add a '-c' option which does a chroot() just before starting the
> > emulation. This is useful when the static QEMU
++++-
> 4 files changed, 67 insertions(+), 14 deletions(-)
>
> --
> 2.38.1
>
--
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0
MTX_OK) {
> +qemu_log_mask(LOG_GUEST_ERROR, "%s: DMA memory access failed!\n",
> + __func__);
> +return -length;
Not strictly related to this issue, but what's the point of returning
-length instead of e.g. -1? Apart from that, LGTM. Thank you.
> +}
> le64_to_cpus(&trb.parameter);
> le32_to_cpus(&trb.status);
> le32_to_cpus(&trb.control);
> --
> 2.31.1
>
--
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0
p;& !(trb.control & TRB_TR_CH)) {
> return length;
> }
> -}
> +
> +/*
> + * According to the xHCI spec, Transfer Ring segments should have
> + * a maximum size of 64 kB (see chapter "6 Data Structures")
&g
much for this, picked up now!
I do not see the second part of the fix (commit 07ce178a "qga/win32:
Use rundll for VSS installation") in stable-7.2. Has it somehow fallen
through the cracks?
Thanks,
> /mjt
>
--
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0
t; hw/display/virtio-gpu.c | 6 ++
> hw/virtio/virtio-crypto.c | 4 ++--
> hw/virtio/virtio.c | 10 ++
> 5 files changed, 22 insertions(+), 8 deletions(-)
>
> --
> 2.41.0
>
Thanks,
--
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0
gt; available) {
> +qemu_log_mask(LOG_GUEST_ERROR, "SDHC buffer data full (size:
> %"PRIu32")"
> + " discarding %u byte%s\n",
> + s->buf_maxsz, size - available,
> + size - available > 1 ? "s" : "");
> +size = available; /* Excess data of the last write is ignored. */
> +}
> for (i = 0; i < size; i++) {
> s->fifo_buffer[s->data_count] = value & 0xFF;
> s->data_count++;
> --
> 2.41.0
>
Thank you Philippe. This was assigned CVE-2024-3447.
--
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0
changed, 34 insertions(+), 16 deletions(-)
>
> --
> 2.41.0
>
--
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0
l net_tx_pkt_update_sctp_checksum(struct NetTxPkt
> *pkt)
> uint32_t csum = 0;
> struct iovec *pl_start_frag = pkt->vec + NET_TX_PKT_PL_START_FRAG;
>
> +if (iov_size(pl_start_frag, pkt->payload_frags) < 8 + sizeof(csum)) {
> +return false;
> +
This prevents the well known DMA-MMIO reentrancy problem (upstream issue #556)
leading to memory corruption bugs like stack overflow or use-after-free.
Fixes: CVE-2023-0330
Signed-off-by: Mauro Matteo Cascella
Reported-by: Zheyu Ma
---
hw/scsi/lsi53c895a.c | 14
On Mon, Jan 16, 2023 at 9:42 PM Mauro Matteo Cascella
wrote:
>
> This prevents the well known DMA-MMIO reentrancy problem (upstream issue #556)
> leading to memory corruption bugs like stack overflow or use-after-free.
>
> Fixes: CVE-2023-0330
> Signed-off-by: Mauro Matteo Casce
> >> On Jan 16, 2023, at 2:42 PM, Mauro Matteo Cascella
> >> wrote:
> >>
> >> This prevents the well known DMA-MMIO reentrancy problem (upstream issue
> >> #556)
> >> leading to memory corruption bugs like stack overflow or use-after-free.
> &g
On Thu, Dec 22, 2022 at 6:29 PM Mauro Matteo Cascella
wrote:
>
> Local variable "name" is allocated through strdup_printf and should be
> freed with g_free() to avoid memory leak.
>
> Fixes: 3616f424 ("nubus-device: add romfile property for loading declaration
&
prototype to
accept unsigned ints.
Fixes: CVE-2023-1601
Fixes: fa892e9a ("ui/cursor: fix integer overflow in cursor_alloc
(CVE-2021-4206)")
Signed-off-by: Mauro Matteo Cascella
Reported-by: Jacek Halon
---
include/ui/console.h | 4 ++--
ui/cursor.c | 2 +-
2 files changed, 3
Ensure op_info is not NULL in case of QCRYPTODEV_BACKEND_ALG_SYM algtype.
Fixes: 02ed3e7c ("virtio-crypto: zeroize the key material before free")
Signed-off-by: Mauro Matteo Cascella
Reported-by: Yiming Tao
---
hw/virtio/virtio-crypto.c | 20 +++-
1 file changed, 11
Ensure op_info is not NULL in case of QCRYPTODEV_BACKEND_ALG_SYM algtype.
Fixes: 0e660a6f90a ("crypto: Introduce RSA algorithm")
Signed-off-by: Mauro Matteo Cascella
Reported-by: Yiming Tao
---
v2:
- updated 'Fixes:' tag
hw/virtio/virtio-crypto.c | 20 +++-
On Tue, May 9, 2023 at 3:47 AM zhenwei pi wrote:
>
>
>
> On 5/9/23 09:02, Gonglei (Arei) wrote:
> >
> >
> >> -Original Message-
> >> From: Mauro Matteo Cascella [mailto:mcasc...@redhat.com]
> >> Sent: Monday, May 8, 2023 11:02 PM
>
rocker_tlv_parse_nested could return early because of no group ids in
the group_tlvs. In such case tlvs is NULL; tlvs[i + 1] in the next
for-loop will deref the NULL pointer.
Signed-off-by: Mauro Matteo Cascella
Reported-by:
---
hw/net/rocker/rocker_of_dpa.c | 5 +
1 file changed, 5
This prevents an OOB read (followed by an assertion failure in
xhci_kick_ep) when slotid > xhci->numslots.
Reported-by: Soul Chen
Signed-off-by: Mauro Matteo Cascella
---
hw/usb/hcd-xhci.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/hw/usb/hcd-xhci.c b/hw/u
Set current_req->req to NULL to prevent reusing a free'd buffer in case of
repeated SCSI cancel requests. Thanks to Thomas Huth for suggesting the patch.
Fixes: CVE-2022-0216
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972
Signed-off-by: Mauro Matteo Cascella
---
On Mon, May 8, 2023 at 4:20 PM Mauro Matteo Cascella
wrote:
>
> The cursor_alloc function still accepts a signed integer for both the cursor
> width and height. A specially crafted negative width/height could make
> datasize
> wrap around and cause the next allocation to be
On Mon, May 22, 2023 at 8:55 PM Philippe Mathieu-Daudé
wrote:
>
> On 9/5/23 09:13, Marc-André Lureau wrote:
> > Hi
> >
> > On Mon, May 8, 2023 at 6:21 PM Mauro Matteo Cascella
> > mailto:mcasc...@redhat.com>> wrote:
> >
> > The cursor_alloc
On Tue, May 23, 2023 at 10:16 AM Daniel P. Berrangé wrote:
>
> On Mon, May 08, 2023 at 04:18:13PM +0200, Mauro Matteo Cascella wrote:
> > The cursor_alloc function still accepts a signed integer for both the cursor
> > width and height. A specially crafted negative width
t;
> >>> On Mon, May 8, 2023 at 6:21 PM Mauro Matteo Cascella
> >>> mailto:mcasc...@redhat.com>> wrote:
> >>>
> >>> The cursor_alloc function still accepts a signed integer for both
> >>> the cursor
> >>> widt
On Tue, May 23, 2023 at 3:03 PM Daniel P. Berrangé wrote:
>
> On Tue, May 23, 2023 at 02:50:09PM +0200, Mauro Matteo Cascella wrote:
> > On Tue, May 23, 2023 at 10:16 AM Daniel P. Berrangé
> > wrote:
> > >
> > > On Mon, May 08, 2023 at 04:18:13PM +0200, Maur
On Tue, May 23, 2023 at 4:07 PM Philippe Mathieu-Daudé
wrote:
>
> On 23/5/23 14:57, Mauro Matteo Cascella wrote:
> > On Tue, May 23, 2023 at 10:37 AM Philippe Mathieu-Daudé
> > wrote:
> >>
> >> On 23/5/23 10:09, Daniel P. Berrangé wrote:
> >>> On
protects us against accidentally introducing future bugs.
Signed-off-by: Mauro Matteo Cascella
Reported-by: Jacek Halon
Reported-by: Yair Mizrahi
Reported-by: Elsayed El-Refa'ei
Reviewed-by: Marc-André Lureau
Reviewed-by: Daniel P. Berrangé
---
v2:
- update commit summary/description
2022-11/msg01068.html
There was a better patch proposed by Philippe:
https://lists.nongnu.org/archive/html/qemu-devel/2022-11/msg01161.html
Which was later dropped due to a CI failure:
https://lists.nongnu.org/archive/html/qemu-devel/2022-11/msg01504.html
Not sure what's the current status.
>
ertions(+), 1 deletion(-)
>
> Fixes: CVE-2023-1544
>
> Ping ^2?
Ping ^3?
> Laurent, maybe you can take this one too?
> I understand the fact you picked up the previous one in this area
> does not make you pvrdma maintainer, but it is definitely being stuck.. :)
>
> /mjt
>
--
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0
o check qemu-devel@nongnu.org from time to time.
>
> Marcel, any feedback?
--
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0
=2020588
Signed-off-by: Mauro Matteo Cascella
Reported-by: Qiuhao Li
---
hw/scsi/scsi-disk.c | 6 ++
1 file changed, 6 insertions(+)
diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c
index e8a547dbb7..5852e8dcfd 100644
--- a/hw/scsi/scsi-disk.c
+++ b/hw/scsi/scsi-disk.c
@@ -1087,6 +1087,7
Hi Bin,
On Fri, Sep 2, 2022 at 3:56 AM Bin Meng wrote:
>
> Hi,
>
> On Wed, Jul 13, 2022 at 8:45 PM Paolo Bonzini wrote:
> >
> > From: Mauro Matteo Cascella
> >
> > Set current_req to NULL, not current_req->req, to prevent reusing a free'd
> &g
test_lsi_do_msgout_cancel_req does not run on machines with small size
memory. Reduce guest memory from 4G to 2G to alleviate the problem.
Reported-by: Bin Meng
Signed-off-by: Mauro Matteo Cascella
---
tests/qtest/fuzz-lsi53c895a-test.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion
The guest can control the size of buf; an OOB write occurs when buf is 1 or 2
bytes long. Only fill in the buffer as long as there is enough space, throw
away any data which doesn't fit.
Signed-off-by: Mauro Matteo Cascella
---
hw/usb/dev-wacom.c | 20 +---
1 file change
Hi Philippe,
On Mon, Feb 13, 2023 at 7:26 PM Philippe Mathieu-Daudé
wrote:
>
> Hi Mauro,
>
> On 13/2/23 18:41, Mauro Matteo Cascella wrote:
> > The guest can control the size of buf; an OOB write occurs when buf is 1 or
> > 2
> > bytes long. Only fill in the buf
xs
> > @@ -31,6 +31,7 @@
> > />
> >> EmbedCab="yes" />
> > 1
> > +
> >> DowngradeErrorMessage="Error: A newer version of QEMU guest agent
> > is already installed."
> > />
> > --
> > 2.25.1
> >
> >
>
--
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0
ivenDell
Reported-by: Siqi Chen
Reported-by: ningqiang
Signed-off-by: Mauro Matteo Cascella
---
hw/sd/sdhci.c | 4
1 file changed, 4 insertions(+)
diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
index 306070c872..aa2fd79df2 100644
--- a/hw/sd/sdhci.c
+++ b/hw/sd/sdhci.c
@@ -978,6 +978,10 @@ sta
On Mon, Nov 7, 2022 at 11:35 AM Mauro Matteo Cascella
wrote:
>
> Make sure to reset data_count if it's equal to (or exceeds) block_size.
> This prevents an off-by-one read / write when accessing s->fifo_buffer
> in sdhci_read_dataport / sdhci_write_dataport, bot
On Mon, Nov 7, 2022 at 8:12 PM Philippe Mathieu-Daudé wrote:
>
> On 7/11/22 11:35, Mauro Matteo Cascella wrote:
> > Make sure to reset data_count if it's equal to (or exceeds) block_size.
> > This prevents an off-by-one read / write when accessing s->fifo_buffer
ACE_AVAILABLE | SDHC_DATA_INHIBIT;
> + SDHC_DATA_INHIBIT;
> sdhci_write_block_to_card(s);
> }
> }
> --
> 2.38.1
>
Tested-by: Mauro Matteo Cascella
Thank you,
--
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0
ll_main (/lib64/libc.so.6+0x40f5f)
#23 0x7f880872900f in __libc_start_main_impl (/lib64/libc.so.6+0x4100f)
#24 0x55b023679644 in _start (./qemu-system-x86_64+0x20f2644)
> Thanks,
> Siqi Chen.
>
>
>
> Bin Meng 于2022年11月9日周三 17:30写道:
>>
>> Hi,
>>
>&
On Wed, Nov 9, 2022 at 5:19 PM Bin Meng wrote:
>
> On Wed, Nov 9, 2022 at 6:10 PM Mauro Matteo Cascella
> wrote:
> >
> > On Wed, Nov 9, 2022 at 10:45 AM Siqi Chen wrote:
> > >
> > > Hi,
> > >
> > > >This reproducer does not crash my Q
in
protocol_client_msg.
Fixes: CVE-2022-3165
Fixes: 0bf41cab93e5 ("ui/vnc: clipboard support")
Reported-by: TangPeng
Signed-off-by: Mauro Matteo Cascella
---
Extended Clipboard Pseudo-Encoding:
https://github.com/rfbproto/rfbproto/blob/master/rfbproto.rst#extended-clipboard-pseudo-encoding
Commit 799f7f01 left some DMA calls unprotected. Let's patch them.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1282
Reported-by: Siqi Chen
Signed-off-by: Mauro Matteo Cascella
---
hw/sd/sdhci.c | 22 +-
1 file changed, 13 insertions(+), 9 deletions(-)
Local variable "name" is allocated through strdup_printf and should be
freed with g_free() to avoid memory leak.
Fixes: 3616f424 ("nubus-device: add romfile property for loading declaration
ROMs")
Signed-off-by: Mauro Matteo Cascella
---
hw/nubus/nubus-device.c | 1
:
>
> On 220705 2205, Mauro Matteo Cascella wrote:
> > Set current_req->req to NULL to prevent reusing a free'd buffer in case of
> > repeated SCSI cancel requests. Thanks to Thomas Huth for suggesting the
> > patch.
> >
> > Fixes: CVE-2022-0216
> &
ssues/972
Signed-off-by: Mauro Matteo Cascella
---
v2:
- handle CLEAR QUEUE and BUS DEVICE RESET messages
- new qtest: test_lsi_do_msgout_cancel_req
hw/scsi/lsi53c895a.c | 2 +
tests/qtest/fuzz-lsi53c895a-test.c | 71 ++
2 files changed, 73 insertions(+)
Prevent potential integer overflow by limiting 'width' and 'height' to
512x512. Also change 'datasize' type to size_t. Refer to security
advisory https://starlabs.sg/advisories/22-4206/ for more information.
Fixes: CVE-2022-4206
Signed-off-by: Mauro Matteo Cascella
Avoid fetching 'width' and 'height' a second time to prevent possible
race condition. Refer to security advisory
https://starlabs.sg/advisories/22-4207/ for more information.
Fixes: CVE-2022-4207
Signed-off-by: Mauro Matteo Cascella
---
hw/display/qxl-render.c | 2 +
ht
> 256) is already done in vmsvga_fifo_run before calling
vmsvga_cursor_define. You want me to add another check in
vmsvga_cursor_define and return NULL if cursor_alloc fails?
> take care,
> Gerd
>
--
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0
Prevent potential integer overflow by limiting 'width' and 'height' to
512x512. Also change 'datasize' type to size_t. Refer to security
advisory https://starlabs.sg/advisories/22-4206/ for more information.
Fixes: CVE-2022-4206
Signed-off-by: Mauro Matteo Ca
Avoid fetching 'width' and 'height' a second time to prevent possible
race condition. Refer to security advisory
https://starlabs.sg/advisories/22-4207/ for more information.
Fixes: CVE-2021-4207
Signed-off-by: Mauro Matteo Cascella
---
v2:
- fix CVE id (CVE-2021-4207 inst
Prevent potential integer overflow by limiting 'width' and 'height' to
512x512. Also change 'datasize' type to size_t. Refer to security
advisory https://starlabs.sg/advisories/22-4206/ for more information.
Fixes: CVE-2021-4206
Signed-off-by: Mauro Matteo Cascella
On Thu, Apr 7, 2022 at 11:17 AM Marc-André Lureau
wrote:
>
>
>
> On Thu, Apr 7, 2022 at 12:23 PM Mauro Matteo Cascella
> wrote:
>>
>> Prevent potential integer overflow by limiting 'width' and 'height' to
>> 512x512. Also change 'dat
On Sun, Sep 25, 2022 at 10:45 PM Mauro Matteo Cascella
wrote:
>
> Extended ClientCutText messages start with a 4-byte header. If len < 4,
> an integer underflow occurs in vnc_client_cut_text_ext. The result is
> used to decompress data in a while loop in inflate_buffer, l
-2023-3255
Fixes: 0bf41cab ("ui/vnc: clipboard support")
Reported-by: Kevin Denis
Signed-off-by: Mauro Matteo Cascella
---
ui/vnc-clipboard.c | 10 --
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/ui/vnc-clipboard.c b/ui/vnc-clipboard.c
index 8aeadfaa21..c759be3
On Tue, Jul 4, 2023 at 11:03 AM Marc-André Lureau
wrote:
>
>
>
> On Tue, Jul 4, 2023 at 10:42 AM Mauro Matteo Cascella
> wrote:
>>
>> A wrong exit condition may lead to an infinite loop when inflating a
>> valid zlib buffer containing some extra bytes in the
>>
>> Reported-by: Xiao Lei
>> Cc: Yuri Benditovich
>> Cc: qemu-sta...@nongnu.org
>> Cc: Mauro Matteo Cascella
>> Fixes: CVE-2023-6693
>> Fixes: e22f0603fb2f ("virtio-net: reference implementation of hash report")
>> Signed-off-by: Jason
,6 +83,7 @@ Responsible Disclosure, Reporting Security Issues
-----
W: https://wiki.qemu.org/SecurityProcess
M: Michael S. Tsirkin
+L: qemu-secur...@nongnu.org
L: secal...@redhat.com
Trivial patches
```
> Thanks,
> Stefan
>
Thank you,
--
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0
On Fri, Jun 24, 2022 at 4:40 PM Mauro Matteo Cascella
wrote:
>
> rocker_tlv_parse_nested could return early because of no group ids in
> the group_tlvs. In such case tlvs is NULL; tlvs[i + 1] in the next
> for-loop will deref the NULL pointer.
Someone somehow reserved a new CVE
On Sat, Aug 26, 2023 at 4:31 PM Mauro Matteo Cascella
wrote:
>
> On Fri, Jun 24, 2022 at 4:40 PM Mauro Matteo Cascella
> wrote:
> >
> > rocker_tlv_parse_nested could return early because of no group ids in
> > the group_tlvs. In such case tlvs is NULL; tlvs[i + 1] in
On Mon, Aug 28, 2023 at 6:11 PM Philippe Mathieu-Daudé
wrote:
>
> On 27/8/23 13:07, Mauro Matteo Cascella wrote:
> > On Sat, Aug 26, 2023 at 4:31 PM Mauro Matteo Cascella
> > wrote:
> >>
> >> On Fri, Jun 24, 2022 at 4:40 PM Mauro Matteo Cascella
> >>
; |: https://berrange.com -o-https://www.flickr.com/photos/dberrange :|
> |: https://libvirt.org -o-https://fstop138.berrange.com :|
> |: https://entangle-photo.org-o-https://www.instagram.com/dberrange :|
>
--
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-36648
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1863025
Title:
Use-after-free after flush in TCG accelerator
Status in QEMU:
t;flags & NVME_SG_ALLOC);
>
> if (sg->flags & NVME_SG_DMA) {
> -const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
> +const MemTxAttrs attrs = { .memory = true };
> MemTxResult res;
> uint64_t residual;
>
> --
> 2.33.1
>
--
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0
gt;cdw10, lid = 3
> NVME_LOG_FW_SLOT_INFO, nvme_fw_log_info, buf_len = 4 */
> write 0x1030 0x4 0xfc01 /* cmd->cdw12 = 0x1fc, Log Page Offset,
> trans_len = sizeof(fw_log) - 0x1fc = 4 */
> clock_step
> EOF
>
> CC: Mauro Matteo Cascella and Philippe Mathieu-Daudé. S
ake it clear (probably here:
https://www.qemu.org/docs/master/system/security.html) that these
kinds of bugs are not eligible for CVE assignment.
> > > > Mauro, please update us when you get the CVE number.
> > > > Michael, please amend the CVE number before committing the fix.
> > > >
> > > > FWIW Paolo asked every fuzzed bug reproducer to be committed
> > > > as qtest, see tests/qtest/fuzz*c. Alex has a way to generate
> > > > reproducer in plain C.
> > > >
> > > > Regards,
> > > >
> > > > Phil.
> > >
>
--
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0
On Thu, Dec 23, 2021 at 2:43 PM Michael S. Tsirkin wrote:
>
> On Thu, Dec 23, 2021 at 10:58:14AM +0100, Mauro Matteo Cascella wrote:
> > Hi,
> >
> > On Wed, Dec 22, 2021 at 9:52 PM Michael S. Tsirkin wrote:
> > >
> > > On Wed, Dec 22, 2021 at 09:2
frame size during packet transmission.
Reported-by: Ziming Zhang
Signed-off-by: Mauro Matteo Cascella
---
hw/net/ftgmac100.c | 14 ++
1 file changed, 14 insertions(+)
diff --git a/hw/net/ftgmac100.c b/hw/net/ftgmac100.c
index 043ba61b86..bcf4d84aea 100644
--- a/hw/net/ftgmac100.c
+++
A buffer overflow issue was reported by Mr. Ziming Zhang, CC'd here. It
occurs while sending an Ethernet frame due to missing break statements
and improper checking of the buffer size.
Reported-by: Ziming Zhang
Signed-off-by: Mauro Matteo Cascella
---
hw/net/xgmac.c | 7 +--
1 file ch
On Fri, Jul 10, 2020 at 1:33 PM Peter Maydell wrote:
>
> On Fri, 10 Jul 2020 at 09:56, Mauro Matteo Cascella
> wrote:
> >
> > An integer overflow issue was reported by Mr. Ziming Zhang, CC'd here. It
> > occurs while inserting the VLAN tag in packets whose leng
This patch introduces a new function in hw/net/net_tx_pkt.{c,h} to check the
current data fragment against the maximum number of data fragments.
Reported-by: Ziming Zhang
Signed-off-by: Mauro Matteo Cascella
---
hw/net/net_tx_pkt.c | 5 +
hw/net/net_tx_pkt.h | 8
2 files changed
This patch adds a check in both e1000e and vmxnet3 devices to skip the packet
if the current data fragment exceeds max_raw_frags, preventing
net_tx_pkt_add_raw_fragment() to be called with an invalid raw_frags.
Reported-by: Ziming Zhang
Signed-off-by: Mauro Matteo Cascella
---
hw/net
th an invalid raw_frags
Mauro Matteo Cascella (2):
hw/net/net_tx_pkt: add function to check pkt->max_raw_frags
hw/net: check max_raw_frags in e1000e and vmxnet3 devices
hw/net/e1000e_core.c | 3 ++-
hw/net/net_tx_pkt.c | 5 +
hw/net/net_tx_pkt.h | 8
hw/net/vmxnet3.c |
On Tue, Jul 28, 2020 at 6:06 AM Jason Wang wrote:
>
>
> On 2020/7/28 上午1:08, Mauro Matteo Cascella wrote:
> > This patch introduces a new function in hw/net/net_tx_pkt.{c,h} to check the
> > current data fragment against the maximum number of data fragments.
>
>
> I
t; write 0xe1020110 0x4 0x1b0202e1
> write 0xe1020118 0x4 0x06fff105
> write 0xe1020128 0x7 0xf3055e411b0202
> write 0xe1020402 0x2 0x5e41
> write 0xe1020420 0x4 0x1b0202e1
> write 0xe1020428 0x4 0x06ff6105
> write 0xe1020438 0x1 0x63
> write 0xe1020439 0x1 0x05
> EOF
&
On Thu, Jul 30, 2020 at 7:28 AM Jason Wang wrote:
>
>
> On 2020/7/29 上午12:26, Mauro Matteo Cascella wrote:
> > On Tue, Jul 28, 2020 at 6:06 AM Jason Wang wrote:
> >>
> >> On 2020/7/28 上午1:08, Mauro Matteo Cascella wrote:
> >>> This patch introduces
false if the current
data fragment exceeds max_raw_frags.
Reported-by: Alexander Bulekov
Reported-by: Ziming Zhang
Signed-off-by: Mauro Matteo Cascella
---
hw/net/net_tx_pkt.c | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c
index
e crash and return FTGMAC100_INT_XPKT_LOST status. This seems
> like a good modeling choice even if Aspeed does not specify anything
> in that case.
>
> Cc: Frederic Konrad
> Cc: Mauro Matteo Cascella
> Reported-by: Ziming Zhang
> Signed-off-by: Cédric Le Goater
> ---
> hw/
On Mon, Aug 10, 2020 at 7:14 PM Cédric Le Goater wrote:
>
> On 8/10/20 3:43 PM, Mauro Matteo Cascella wrote:
> > On Thu, Aug 6, 2020 at 3:21 PM Cédric Le Goater wrote:
> >>
> >> When inserting the VLAN tag in packets, memmove() can generate an
> >> integ
Hello,
Thank you all for your comments. Both patches (PJP/comment#8 -
Mark/comment#9) seem to properly fix the UAF reported by Alexander in
comment #6. However, I'm still able to reproduce the heap-bof from the
above hw-esp-oob-issues.zip:
./x86_64-softmmu/qemu-system-x86_64 -m 512 \
-drive file=
I can confirm this is fixed now, thank you Mark.
Patchset v2:
https://lists.gnu.org/archive/html/qemu-devel/2021-03/msg06550.html
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1910723
Title:
NULL
Patchset v4:
https://lists.gnu.org/archive/html/qemu-devel/2021-04/msg01000.html
Upstream commits:
https://git.qemu.org/?p=qemu.git;a=commit;h=0db895361b8a82e1114372ff9f4857abea605701
https://git.qemu.org/?p=qemu.git;a=commit;h=e392255766071c8cac480da3a9ae4f94e56d7cbc
https://git.qemu.org/?p=qemu.
This is fixed now, thank you Mark.
Patchset v4:
https://lists.gnu.org/archive/html/qemu-devel/2021-04/msg01000.html
Upstream commits:
https://git.qemu.org/?p=qemu.git;a=commit;h=0db895361b8a82e1114372ff9f48
https://git.qemu.org/?p=qemu.git;a=commit;h=e392255766071c8cac480da3a9ae
https://git.qemu.
This is fixed now, thank you Mark.
Patchset v4:
https://lists.gnu.org/archive/html/qemu-devel/2021-04/msg01000.html
Upstream commits:
https://git.qemu.org/?p=qemu.git;a=commit;h=0db895361b8a82e1114372ff9f48
https://git.qemu.org/?p=qemu.git;a=commit;h=e392255766071c8cac480da3a9ae
https://git.qemu.
This is fixed now, thank you Mark.
Patchset v4:
https://lists.gnu.org/archive/html/qemu-devel/2021-04/msg01000.html
Upstream commits:
https://git.qemu.org/?p=qemu.git;a=commit;h=0db895361b8a82e1114372ff9f48
https://git.qemu.org/?p=qemu.git;a=commit;h=e392255766071c8cac480da3a9ae
https://git.qemu.
** Changed in: qemu
Status: Fix Released => Fix Committed
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1909247
Title:
QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c
St
** Changed in: qemu
Status: Fix Released => Fix Committed
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1910723
Title:
NULL pointer dereference issues in am53c974 SCSI host bus adapter
Stat
I'm not able to change the status of this bug anymore. It should have
been closed as "Fix committed" - QEMU 6.0.0 is not yet released.
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1919035
Title:
A
I'm not able to change the status of this bug anymore. It should have
been closed as "Fix committed" - QEMU 6.0.0 is not yet released.
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1919036
Title:
A
Technically, the first one is a heap use-after-free, while the second a
stack buffer overflow. They could be two different manifestations of the
same issue; they both originate from handle_ti() and the root cause may
be the same.
Heap uaf:
==
1 - 100 of 141 matches
Mail list logo
