Am 20.11.2018 um 19:41 hat Paolo Bonzini geschrieben: > Because the CMB BAR has a min_access_size of 2, if you read the last > byte it will try to memcpy *2* bytes from n->cmbuf, causing an off-by-one > error. This is CVE-2018-16847. > > Another way to fix this might be to register the CMB as a RAM memory > region, which would also be more efficient. However, that might be a > change for big-endian machines; I didn't think this through and I don't > know how real hardware works. Add a basic testcase for the CMB in case > somebody does this change later on. > > Cc: Keith Busch <[email protected]> > Cc: [email protected] > Reported-by: Li Qiang <[email protected]> > Reviewed-by: Li Qiang <[email protected]> > Tested-by: Li Qiang <[email protected]> > Signed-off-by: Paolo Bonzini <[email protected]>
Thanks, applied to the block branch and reverted 5e3c0220d7. Kevin
