l net_tx_pkt_update_sctp_checksum(struct NetTxPkt
> *pkt)
> uint32_t csum = 0;
> struct iovec *pl_start_frag = pkt->vec + NET_TX_PKT_PL_START_FRAG;
>
> +if (iov_size(pl_start_frag, pkt->payload_frags) < 8 + sizeof(csum)) {
> +return false;
> +
changed, 34 insertions(+), 16 deletions(-)
>
> --
> 2.41.0
>
--
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0
gt; available) {
> +qemu_log_mask(LOG_GUEST_ERROR, "SDHC buffer data full (size:
> %"PRIu32")"
> + " discarding %u byte%s\n",
> + s->buf_maxsz, size - available,
> + size - available > 1 ? "s" : "");
> +size = available; /* Excess data of the last write is ignored. */
> +}
> for (i = 0; i < size; i++) {
> s->fifo_buffer[s->data_count] = value & 0xFF;
> s->data_count++;
> --
> 2.41.0
>
Thank you Philippe. This was assigned CVE-2024-3447.
--
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0
t; hw/display/virtio-gpu.c | 6 ++
> hw/virtio/virtio-crypto.c | 4 ++--
> hw/virtio/virtio.c | 10 ++
> 5 files changed, 22 insertions(+), 8 deletions(-)
>
> --
> 2.41.0
>
Thanks,
--
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0
>>
>> Reported-by: Xiao Lei
>> Cc: Yuri Benditovich
>> Cc: qemu-sta...@nongnu.org
>> Cc: Mauro Matteo Cascella
>> Fixes: CVE-2023-6693
>> Fixes: e22f0603fb2f ("virtio-net: reference implementation of hash report")
>> Signed-off-by: Jason
,6 +83,7 @@ Responsible Disclosure, Reporting Security Issues
-----
W: https://wiki.qemu.org/SecurityProcess
M: Michael S. Tsirkin
+L: qemu-secur...@nongnu.org
L: secal...@redhat.com
Trivial patches
```
> Thanks,
> Stefan
>
Thank you,
--
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-36648
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1863025
Title:
Use-after-free after flush in TCG accelerator
Status in QEMU:
; |: https://berrange.com -o-https://www.flickr.com/photos/dberrange :|
> |: https://libvirt.org -o-https://fstop138.berrange.com :|
> |: https://entangle-photo.org-o-https://www.instagram.com/dberrange :|
>
--
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0
On Mon, Aug 28, 2023 at 6:11 PM Philippe Mathieu-Daudé
wrote:
>
> On 27/8/23 13:07, Mauro Matteo Cascella wrote:
> > On Sat, Aug 26, 2023 at 4:31 PM Mauro Matteo Cascella
> > wrote:
> >>
> >> On Fri, Jun 24, 2022 at 4:40 PM Mauro Matteo Cascella
> >>
On Sat, Aug 26, 2023 at 4:31 PM Mauro Matteo Cascella
wrote:
>
> On Fri, Jun 24, 2022 at 4:40 PM Mauro Matteo Cascella
> wrote:
> >
> > rocker_tlv_parse_nested could return early because of no group ids in
> > the group_tlvs. In such case tlvs is NULL; tlvs[i + 1] in
On Fri, Jun 24, 2022 at 4:40 PM Mauro Matteo Cascella
wrote:
>
> rocker_tlv_parse_nested could return early because of no group ids in
> the group_tlvs. In such case tlvs is NULL; tlvs[i + 1] in the next
> for-loop will deref the NULL pointer.
Someone somehow reserved a new CVE
much for this, picked up now!
I do not see the second part of the fix (commit 07ce178a "qga/win32:
Use rundll for VSS installation") in stable-7.2. Has it somehow fallen
through the cracks?
Thanks,
> /mjt
>
--
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0
On Tue, Jul 4, 2023 at 11:03 AM Marc-André Lureau
wrote:
>
>
>
> On Tue, Jul 4, 2023 at 10:42 AM Mauro Matteo Cascella
> wrote:
>>
>> A wrong exit condition may lead to an infinite loop when inflating a
>> valid zlib buffer containing some extra bytes in the
-2023-3255
Fixes: 0bf41cab ("ui/vnc: clipboard support")
Reported-by: Kevin Denis
Signed-off-by: Mauro Matteo Cascella
---
ui/vnc-clipboard.c | 10 --
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/ui/vnc-clipboard.c b/ui/vnc-clipboard.c
index 8aeadfaa21..c759be3
ertions(+), 1 deletion(-)
>
> Fixes: CVE-2023-1544
>
> Ping ^2?
Ping ^3?
> Laurent, maybe you can take this one too?
> I understand the fact you picked up the previous one in this area
> does not make you pvrdma maintainer, but it is definitely being stuck.. :)
>
> /mjt
>
--
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0
2022-11/msg01068.html
There was a better patch proposed by Philippe:
https://lists.nongnu.org/archive/html/qemu-devel/2022-11/msg01161.html
Which was later dropped due to a CI failure:
https://lists.nongnu.org/archive/html/qemu-devel/2022-11/msg01504.html
Not sure what's the current status.
>
protects us against accidentally introducing future bugs.
Signed-off-by: Mauro Matteo Cascella
Reported-by: Jacek Halon
Reported-by: Yair Mizrahi
Reported-by: Elsayed El-Refa'ei
Reviewed-by: Marc-André Lureau
Reviewed-by: Daniel P. Berrangé
---
v2:
- update commit summary/description
On Tue, May 23, 2023 at 4:07 PM Philippe Mathieu-Daudé
wrote:
>
> On 23/5/23 14:57, Mauro Matteo Cascella wrote:
> > On Tue, May 23, 2023 at 10:37 AM Philippe Mathieu-Daudé
> > wrote:
> >>
> >> On 23/5/23 10:09, Daniel P. Berrangé wrote:
> >>> On
On Tue, May 23, 2023 at 3:03 PM Daniel P. Berrangé wrote:
>
> On Tue, May 23, 2023 at 02:50:09PM +0200, Mauro Matteo Cascella wrote:
> > On Tue, May 23, 2023 at 10:16 AM Daniel P. Berrangé
> > wrote:
> > >
> > > On Mon, May 08, 2023 at 04:18:13PM +0200, Maur
t;
> >>> On Mon, May 8, 2023 at 6:21 PM Mauro Matteo Cascella
> >>> mailto:mcasc...@redhat.com>> wrote:
> >>>
> >>> The cursor_alloc function still accepts a signed integer for both
> >>> the cursor
> >>> widt
On Tue, May 23, 2023 at 10:16 AM Daniel P. Berrangé wrote:
>
> On Mon, May 08, 2023 at 04:18:13PM +0200, Mauro Matteo Cascella wrote:
> > The cursor_alloc function still accepts a signed integer for both the cursor
> > width and height. A specially crafted negative width
On Mon, May 22, 2023 at 8:55 PM Philippe Mathieu-Daudé
wrote:
>
> On 9/5/23 09:13, Marc-André Lureau wrote:
> > Hi
> >
> > On Mon, May 8, 2023 at 6:21 PM Mauro Matteo Cascella
> > mailto:mcasc...@redhat.com>> wrote:
> >
> > The cursor_alloc
On Mon, May 8, 2023 at 4:20 PM Mauro Matteo Cascella
wrote:
>
> The cursor_alloc function still accepts a signed integer for both the cursor
> width and height. A specially crafted negative width/height could make
> datasize
> wrap around and cause the next allocation to be
On Tue, May 9, 2023 at 3:47 AM zhenwei pi wrote:
>
>
>
> On 5/9/23 09:02, Gonglei (Arei) wrote:
> >
> >
> >> -Original Message-
> >> From: Mauro Matteo Cascella [mailto:mcasc...@redhat.com]
> >> Sent: Monday, May 8, 2023 11:02 PM
>
Ensure op_info is not NULL in case of QCRYPTODEV_BACKEND_ALG_SYM algtype.
Fixes: 0e660a6f90a ("crypto: Introduce RSA algorithm")
Signed-off-by: Mauro Matteo Cascella
Reported-by: Yiming Tao
---
v2:
- updated 'Fixes:' tag
hw/virtio/virtio-crypto.c | 20 +++-
Ensure op_info is not NULL in case of QCRYPTODEV_BACKEND_ALG_SYM algtype.
Fixes: 02ed3e7c ("virtio-crypto: zeroize the key material before free")
Signed-off-by: Mauro Matteo Cascella
Reported-by: Yiming Tao
---
hw/virtio/virtio-crypto.c | 20 +++-
1 file changed, 11
prototype to
accept unsigned ints.
Fixes: CVE-2023-1601
Fixes: fa892e9a ("ui/cursor: fix integer overflow in cursor_alloc
(CVE-2021-4206)")
Signed-off-by: Mauro Matteo Cascella
Reported-by: Jacek Halon
---
include/ui/console.h | 4 ++--
ui/cursor.c | 2 +-
2 files changed, 3
> >> On Jan 16, 2023, at 2:42 PM, Mauro Matteo Cascella
> >> wrote:
> >>
> >> This prevents the well known DMA-MMIO reentrancy problem (upstream issue
> >> #556)
> >> leading to memory corruption bugs like stack overflow or use-after-free.
> &g
o check qemu-devel@nongnu.org from time to time.
>
> Marcel, any feedback?
--
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0
xs
> > @@ -31,6 +31,7 @@
> > />
> >> EmbedCab="yes" />
> > 1
> > +
> >> DowngradeErrorMessage="Error: A newer version of QEMU guest agent
> > is already installed."
> > />
> > --
> > 2.25.1
> >
> >
>
--
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0
Hi Philippe,
On Mon, Feb 13, 2023 at 7:26 PM Philippe Mathieu-Daudé
wrote:
>
> Hi Mauro,
>
> On 13/2/23 18:41, Mauro Matteo Cascella wrote:
> > The guest can control the size of buf; an OOB write occurs when buf is 1 or
> > 2
> > bytes long. Only fill in the buf
The guest can control the size of buf; an OOB write occurs when buf is 1 or 2
bytes long. Only fill in the buffer as long as there is enough space, throw
away any data which doesn't fit.
Signed-off-by: Mauro Matteo Cascella
---
hw/usb/dev-wacom.c | 20 +---
1 file change
On Thu, Dec 22, 2022 at 6:29 PM Mauro Matteo Cascella
wrote:
>
> Local variable "name" is allocated through strdup_printf and should be
> freed with g_free() to avoid memory leak.
>
> Fixes: 3616f424 ("nubus-device: add romfile property for loading declaration
&
On Mon, Jan 16, 2023 at 9:42 PM Mauro Matteo Cascella
wrote:
>
> This prevents the well known DMA-MMIO reentrancy problem (upstream issue #556)
> leading to memory corruption bugs like stack overflow or use-after-free.
>
> Fixes: CVE-2023-0330
> Signed-off-by: Mauro Matteo Casce
This prevents the well known DMA-MMIO reentrancy problem (upstream issue #556)
leading to memory corruption bugs like stack overflow or use-after-free.
Fixes: CVE-2023-0330
Signed-off-by: Mauro Matteo Cascella
Reported-by: Zheyu Ma
---
hw/scsi/lsi53c895a.c | 14
Local variable "name" is allocated through strdup_printf and should be
freed with g_free() to avoid memory leak.
Fixes: 3616f424 ("nubus-device: add romfile property for loading declaration
ROMs")
Signed-off-by: Mauro Matteo Cascella
---
hw/nubus/nubus-device.c | 1
++++-
> 4 files changed, 67 insertions(+), 14 deletions(-)
>
> --
> 2.38.1
>
--
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0
On Wed, Nov 9, 2022 at 5:19 PM Bin Meng wrote:
>
> On Wed, Nov 9, 2022 at 6:10 PM Mauro Matteo Cascella
> wrote:
> >
> > On Wed, Nov 9, 2022 at 10:45 AM Siqi Chen wrote:
> > >
> > > Hi,
> > >
> > > >This reproducer does not crash my Q
ll_main (/lib64/libc.so.6+0x40f5f)
#23 0x7f880872900f in __libc_start_main_impl (/lib64/libc.so.6+0x4100f)
#24 0x55b023679644 in _start (./qemu-system-x86_64+0x20f2644)
> Thanks,
> Siqi Chen.
>
>
>
> Bin Meng 于2022年11月9日周三 17:30写道:
>>
>> Hi,
>>
>&
ACE_AVAILABLE | SDHC_DATA_INHIBIT;
> + SDHC_DATA_INHIBIT;
> sdhci_write_block_to_card(s);
> }
> }
> --
> 2.38.1
>
Tested-by: Mauro Matteo Cascella
Thank you,
--
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0
On Mon, Nov 7, 2022 at 8:12 PM Philippe Mathieu-Daudé wrote:
>
> On 7/11/22 11:35, Mauro Matteo Cascella wrote:
> > Make sure to reset data_count if it's equal to (or exceeds) block_size.
> > This prevents an off-by-one read / write when accessing s->fifo_buffer
On Mon, Nov 7, 2022 at 11:35 AM Mauro Matteo Cascella
wrote:
>
> Make sure to reset data_count if it's equal to (or exceeds) block_size.
> This prevents an off-by-one read / write when accessing s->fifo_buffer
> in sdhci_read_dataport / sdhci_write_dataport, bot
ivenDell
Reported-by: Siqi Chen
Reported-by: ningqiang
Signed-off-by: Mauro Matteo Cascella
---
hw/sd/sdhci.c | 4
1 file changed, 4 insertions(+)
diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
index 306070c872..aa2fd79df2 100644
--- a/hw/sd/sdhci.c
+++ b/hw/sd/sdhci.c
@@ -978,6 +978,10 @@ sta
Commit 799f7f01 left some DMA calls unprotected. Let's patch them.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1282
Reported-by: Siqi Chen
Signed-off-by: Mauro Matteo Cascella
---
hw/sd/sdhci.c | 22 +-
1 file changed, 13 insertions(+), 9 deletions(-)
On Sun, Sep 25, 2022 at 10:45 PM Mauro Matteo Cascella
wrote:
>
> Extended ClientCutText messages start with a 4-byte header. If len < 4,
> an integer underflow occurs in vnc_client_cut_text_ext. The result is
> used to decompress data in a while loop in inflate_buffer, l
in
protocol_client_msg.
Fixes: CVE-2022-3165
Fixes: 0bf41cab93e5 ("ui/vnc: clipboard support")
Reported-by: TangPeng
Signed-off-by: Mauro Matteo Cascella
---
Extended Clipboard Pseudo-Encoding:
https://github.com/rfbproto/rfbproto/blob/master/rfbproto.rst#extended-clipboard-pseudo-encoding
test_lsi_do_msgout_cancel_req does not run on machines with small size
memory. Reduce guest memory from 4G to 2G to alleviate the problem.
Reported-by: Bin Meng
Signed-off-by: Mauro Matteo Cascella
---
tests/qtest/fuzz-lsi53c895a-test.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion
Hi Bin,
On Fri, Sep 2, 2022 at 3:56 AM Bin Meng wrote:
>
> Hi,
>
> On Wed, Jul 13, 2022 at 8:45 PM Paolo Bonzini wrote:
> >
> > From: Mauro Matteo Cascella
> >
> > Set current_req to NULL, not current_req->req, to prevent reusing a free'd
> &g
p;& !(trb.control & TRB_TR_CH)) {
> return length;
> }
> -}
> +
> +/*
> + * According to the xHCI spec, Transfer Ring segments should have
> + * a maximum size of 64 kB (see chapter "6 Data Structures")
&g
MTX_OK) {
> +qemu_log_mask(LOG_GUEST_ERROR, "%s: DMA memory access failed!\n",
> + __func__);
> +return -length;
Not strictly related to this issue, but what's the point of returning
-length instead of e.g. -1? Apart from that, LGTM. Thank you.
> +}
> le64_to_cpus(&trb.parameter);
> le32_to_cpus(&trb.status);
> le32_to_cpus(&trb.control);
> --
> 2.31.1
>
--
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0
ssues/972
Signed-off-by: Mauro Matteo Cascella
---
v2:
- handle CLEAR QUEUE and BUS DEVICE RESET messages
- new qtest: test_lsi_do_msgout_cancel_req
hw/scsi/lsi53c895a.c | 2 +
tests/qtest/fuzz-lsi53c895a-test.c | 71 ++
2 files changed, 73 insertions(+)
:
>
> On 220705 2205, Mauro Matteo Cascella wrote:
> > Set current_req->req to NULL to prevent reusing a free'd buffer in case of
> > repeated SCSI cancel requests. Thanks to Thomas Huth for suggesting the
> > patch.
> >
> > Fixes: CVE-2022-0216
> &
Set current_req->req to NULL to prevent reusing a free'd buffer in case of
repeated SCSI cancel requests. Thanks to Thomas Huth for suggesting the patch.
Fixes: CVE-2022-0216
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972
Signed-off-by: Mauro Matteo Cascella
---
This prevents an OOB read (followed by an assertion failure in
xhci_kick_ep) when slotid > xhci->numslots.
Reported-by: Soul Chen
Signed-off-by: Mauro Matteo Cascella
---
hw/usb/hcd-xhci.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/hw/usb/hcd-xhci.c b/hw/u
rocker_tlv_parse_nested could return early because of no group ids in
the group_tlvs. In such case tlvs is NULL; tlvs[i + 1] in the next
for-loop will deref the NULL pointer.
Signed-off-by: Mauro Matteo Cascella
Reported-by:
---
hw/net/rocker/rocker_of_dpa.c | 5 +
1 file changed, 5
On Thu, Apr 7, 2022 at 11:17 AM Marc-André Lureau
wrote:
>
>
>
> On Thu, Apr 7, 2022 at 12:23 PM Mauro Matteo Cascella
> wrote:
>>
>> Prevent potential integer overflow by limiting 'width' and 'height' to
>> 512x512. Also change 'dat
Prevent potential integer overflow by limiting 'width' and 'height' to
512x512. Also change 'datasize' type to size_t. Refer to security
advisory https://starlabs.sg/advisories/22-4206/ for more information.
Fixes: CVE-2021-4206
Signed-off-by: Mauro Matteo Cascella
Avoid fetching 'width' and 'height' a second time to prevent possible
race condition. Refer to security advisory
https://starlabs.sg/advisories/22-4207/ for more information.
Fixes: CVE-2021-4207
Signed-off-by: Mauro Matteo Cascella
---
v2:
- fix CVE id (CVE-2021-4207 inst
Prevent potential integer overflow by limiting 'width' and 'height' to
512x512. Also change 'datasize' type to size_t. Refer to security
advisory https://starlabs.sg/advisories/22-4206/ for more information.
Fixes: CVE-2022-4206
Signed-off-by: Mauro Matteo Ca
ht
> 256) is already done in vmsvga_fifo_run before calling
vmsvga_cursor_define. You want me to add another check in
vmsvga_cursor_define and return NULL if cursor_alloc fails?
> take care,
> Gerd
>
--
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0
Avoid fetching 'width' and 'height' a second time to prevent possible
race condition. Refer to security advisory
https://starlabs.sg/advisories/22-4207/ for more information.
Fixes: CVE-2022-4207
Signed-off-by: Mauro Matteo Cascella
---
hw/display/qxl-render.c | 2 +
Prevent potential integer overflow by limiting 'width' and 'height' to
512x512. Also change 'datasize' type to size_t. Refer to security
advisory https://starlabs.sg/advisories/22-4206/ for more information.
Fixes: CVE-2022-4206
Signed-off-by: Mauro Matteo Cascella
On Thu, Dec 23, 2021 at 2:43 PM Michael S. Tsirkin wrote:
>
> On Thu, Dec 23, 2021 at 10:58:14AM +0100, Mauro Matteo Cascella wrote:
> > Hi,
> >
> > On Wed, Dec 22, 2021 at 9:52 PM Michael S. Tsirkin wrote:
> > >
> > > On Wed, Dec 22, 2021 at 09:2
ake it clear (probably here:
https://www.qemu.org/docs/master/system/security.html) that these
kinds of bugs are not eligible for CVE assignment.
> > > > Mauro, please update us when you get the CVE number.
> > > > Michael, please amend the CVE number before committing the fix.
> > > >
> > > > FWIW Paolo asked every fuzzed bug reproducer to be committed
> > > > as qtest, see tests/qtest/fuzz*c. Alex has a way to generate
> > > > reproducer in plain C.
> > > >
> > > > Regards,
> > > >
> > > > Phil.
> > >
>
--
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0
gt;cdw10, lid = 3
> NVME_LOG_FW_SLOT_INFO, nvme_fw_log_info, buf_len = 4 */
> write 0x1030 0x4 0xfc01 /* cmd->cdw12 = 0x1fc, Log Page Offset,
> trans_len = sizeof(fw_log) - 0x1fc = 4 */
> clock_step
> EOF
>
> CC: Mauro Matteo Cascella and Philippe Mathieu-Daudé. S
t;flags & NVME_SG_ALLOC);
>
> if (sg->flags & NVME_SG_DMA) {
> -const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
> +const MemTxAttrs attrs = { .memory = true };
> MemTxResult res;
> uint64_t residual;
>
> --
> 2.33.1
>
--
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0
=2020588
Signed-off-by: Mauro Matteo Cascella
Reported-by: Qiuhao Li
---
hw/scsi/scsi-disk.c | 6 ++
1 file changed, 6 insertions(+)
diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c
index e8a547dbb7..5852e8dcfd 100644
--- a/hw/scsi/scsi-disk.c
+++ b/hw/scsi/scsi-disk.c
@@ -1087,6 +1087,7
easible to get a list of such devices? Or maybe the other
way around, document the list of devices that are undeniably security
supported (e.g., virtio*, *hci, e1000, etc.)?
--
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0
+dst_x, dst_y,
> s->regs.dst_width, s->regs.dst_height,
> filler);
> pixman_fill((uint32_t *)dst_bits, dst_stride, bpp,
> -s->regs.dst_x, s->regs.dst_y,
> +dst_x, dst_y,
> s->regs.dst_width, s->regs.dst_height,
> filler);
> if (dst_bits >= s->vga.vram_ptr + s->vga.vbe_start_addr &&
> --
> 2.31.1
>
Tested-by: Mauro Matteo Cascella
Thanks.
--
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0
oS the host or potentially exploit the
> use-after-free to execute code on the host.
>
This is actually an out-of-bounds access issue (not UAF). It's still
potentially bad, but I agree with Gerd the impact is low. Plus there's
an assert right before [1] that makes it a DoS if the acces
\x40", 0x1);
> +qtest_bufwrite(s, 0x3a8, "\x01", 0x1);
> +qtest_bufwrite(s, 0x3a9, "\x40", 0x1);
> +qtest_bufwrite(s, 0x3b8, "\x01", 0x1);
> +qtest_bufwrite(s, 0x3b9, "\x40", 0x1);
> +qtest_bufwrite(s, 0x3c8, "\x01", 0x1);
> +qtest_bufwrite(s, 0x3c9, "\x40", 0x1);
> +qtest_bufwrite(s, 0x3d8, "\x01", 0x1);
> +qtest_bufwrite(s, 0x3d9, "\x40", 0x1);
> +qtest_bufwrite(s, 0x3e8, "\x01", 0x1);
> +qtest_bufwrite(s, 0x3e9, "\x40", 0x1);
> +qtest_bufwrite(s, 0x3f8, "\x01", 0x1);
> +qtest_bufwrite(s, 0x3f9, "\x40", 0x1);
> +qtest_bufwrite(s, 0xd, "\x10", 0x1);
> +qtest_bufwrite(s, 0x2600, "\x00", 0x1);
> +qtest_quit(s);
> +}
> +
> +int main(int argc, char **argv)
> +{
> +const char *arch = qtest_get_arch();
> +
> +g_test_init(&argc, &argv, NULL);
> +
> +if (strcmp(arch, "i386") == 0 || strcmp(arch, "x86_64") == 0) {
> +qtest_add_func("fuzz/test_oss_35799_eth_setup_ip4_fragmentation",
> + test_oss_35799_eth_setup_ip4_fragmentation);
> +}
> +
> +return g_test_run();
> +}
> diff --git a/MAINTAINERS b/MAINTAINERS
> index cb8f3ea2c2e..43e5050ad96 100644
> --- a/MAINTAINERS
> +++ b/MAINTAINERS
> @@ -2001,6 +2001,7 @@ S: Maintained
> F: hw/net/vmxnet*
> F: hw/scsi/vmw_pvscsi*
> F: tests/qtest/vmxnet3-test.c
> +F: tests/qtest/fuzz-vmxnet3-test.c
>
> Rocker
> M: Jiri Pirko
> diff --git a/tests/qtest/meson.build b/tests/qtest/meson.build
> index b03e8541700..42add92e9d4 100644
> --- a/tests/qtest/meson.build
> +++ b/tests/qtest/meson.build
> @@ -66,6 +66,7 @@
>(config_all_devices.has_key('CONFIG_TPM_TIS_ISA') ? ['tpm-tis-swtpm-test']
> : []) +\
>(config_all_devices.has_key('CONFIG_RTL8139_PCI') ? ['rtl8139-test'] : [])
> + \
>(config_all_devices.has_key('CONFIG_E1000E_PCI_EXPRESS') ?
> ['fuzz-e1000e-test'] : []) + \
> + (config_all_devices.has_key('CONFIG_VMXNET3_PCI') ? ['fuzz-vmxnet3-test']
> : []) + \
>(config_all_devices.has_key('CONFIG_ESP_PCI') ? ['am53c974-test'] : []) +
>\
>qtests_pci +
>\
>['fdc-test',
> --
> 2.31.1
>
--
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0
Just FYI, this issue was assigned CVE-2021-3611 by Red Hat.
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3611
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1907497
Title:
[OSS
On Fri, Jun 11, 2021 at 6:43 PM Mauro Matteo Cascella
wrote:
>
> ---
> hw/rdma/vmw/pvrdma_main.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c
> index 84ae8024fc..e229c19564 100644
> --- a/h
---
hw/rdma/vmw/pvrdma_main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c
index 84ae8024fc..e229c19564 100644
--- a/hw/rdma/vmw/pvrdma_main.c
+++ b/hw/rdma/vmw/pvrdma_main.c
@@ -427,7 +427,7 @@ static void pvrdma_regs_wr
On Fri, Jun 11, 2021 at 6:20 PM Mauro Matteo Cascella
wrote:
>
> ---
> hw/rdma/vmw/pvrdma_main.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c
> index 84ae8024fc..e229c19564 100644
> --- a/h
---
hw/rdma/vmw/pvrdma_main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c
index 84ae8024fc..e229c19564 100644
--- a/hw/rdma/vmw/pvrdma_main.c
+++ b/hw/rdma/vmw/pvrdma_main.c
@@ -427,7 +427,7 @@ static void pvrdma_regs_wr
Check rext.info to avoid potential NULL pointer dereference. A similar check
exists in interface_release_resource() in hw/display/qxl.c.
Reported-by: Yu Lu
Signed-off-by: Mauro Matteo Cascella
---
ui/spice-display.c | 4
1 file changed, 4 insertions(+)
diff --git a/ui/spice-display.c b
.size, p->id);
> --
> 2.30.2
>
Nitpick: I would probably reference CVE-2021-3527 in patch 4/5 and 5/5
as well. Just to avoid someone from cherry-picking this patch only,
not actually fixing the root cause of the CVE.
Regards.
--
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0
Upstream commit:
https://git.qemu.org/?p=qemu.git;a=commit;h=3791642c8d60029adf9b00bcb4e34d7d8a1aea4d
** Changed in: qemu
Status: New => Fix Committed
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/
I'm not able to change the status of this bug anymore. It should have
been closed as "Fix committed" - QEMU 6.0.0 is not yet released.
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1919036
Title:
A
I'm not able to change the status of this bug anymore. It should have
been closed as "Fix committed" - QEMU 6.0.0 is not yet released.
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1919035
Title:
A
** Changed in: qemu
Status: Fix Released => Fix Committed
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1910723
Title:
NULL pointer dereference issues in am53c974 SCSI host bus adapter
Stat
** Changed in: qemu
Status: Fix Released => Fix Committed
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1909247
Title:
QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/esp.c
St
This is fixed now, thank you Mark.
Patchset v4:
https://lists.gnu.org/archive/html/qemu-devel/2021-04/msg01000.html
Upstream commits:
https://git.qemu.org/?p=qemu.git;a=commit;h=0db895361b8a82e1114372ff9f48
https://git.qemu.org/?p=qemu.git;a=commit;h=e392255766071c8cac480da3a9ae
https://git.qemu.
This is fixed now, thank you Mark.
Patchset v4:
https://lists.gnu.org/archive/html/qemu-devel/2021-04/msg01000.html
Upstream commits:
https://git.qemu.org/?p=qemu.git;a=commit;h=0db895361b8a82e1114372ff9f48
https://git.qemu.org/?p=qemu.git;a=commit;h=e392255766071c8cac480da3a9ae
https://git.qemu.
This is fixed now, thank you Mark.
Patchset v4:
https://lists.gnu.org/archive/html/qemu-devel/2021-04/msg01000.html
Upstream commits:
https://git.qemu.org/?p=qemu.git;a=commit;h=0db895361b8a82e1114372ff9f48
https://git.qemu.org/?p=qemu.git;a=commit;h=e392255766071c8cac480da3a9ae
https://git.qemu.
Patchset v4:
https://lists.gnu.org/archive/html/qemu-devel/2021-04/msg01000.html
Upstream commits:
https://git.qemu.org/?p=qemu.git;a=commit;h=0db895361b8a82e1114372ff9f4857abea605701
https://git.qemu.org/?p=qemu.git;a=commit;h=e392255766071c8cac480da3a9ae4f94e56d7cbc
https://git.qemu.org/?p=qemu.
I can confirm this is fixed now, thank you Mark.
Patchset v2:
https://lists.gnu.org/archive/html/qemu-devel/2021-03/msg06550.html
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1910723
Title:
NULL
Hello,
Thank you all for your comments. Both patches (PJP/comment#8 -
Mark/comment#9) seem to properly fix the UAF reported by Alexander in
comment #6. However, I'm still able to reproduce the heap-bof from the
above hw-esp-oob-issues.zip:
./x86_64-softmmu/qemu-system-x86_64 -m 512 \
-drive file=
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-35504
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-35505
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1910723
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-35506
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1909247
Title:
QEMU: use after free vulnerability in esp_do_dma() in hw/scsi/es
Note that the use-after-free was found in v5.2.0 and, as far as I can
tell, is not reproducible anymore on master. The ESP/NCR53C9x emulator
(hw/scsi/esp.c) underwent several changes since v5.2.0. By git-
bisecting, it looks like the original reproducer is neutralized after
commit [1]. However, the
Technically, the first one is a heap use-after-free, while the second a
stack buffer overflow. They could be two different manifestations of the
same issue; they both originate from handle_ti() and the root cause may
be the same.
Heap uaf:
==
On Thu, Feb 11, 2021 at 8:48 PM Philippe Mathieu-Daudé wrote:
>
> On 2/11/21 9:52 AM, Mauro Matteo Cascella wrote:
> > Hello,
> >
> > On Wed, Feb 10, 2021 at 11:27 PM Alistair Francis
> > wrote:
> >>
> >> On Tue, Feb 9, 2021 at 2:
I'm actually
thinking of assigning a new CVE for this, to make it possible for
distros to apply this fix.
--
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0
On Mon, Feb 8, 2021 at 9:26 PM Philippe Mathieu-Daudé wrote:
>
> On Mon, Feb 8, 2021 at 8:59 PM Mauro Matteo Cascella
> wrote:
> > On Mon, Feb 8, 2021 at 8:35 PM Philippe Mathieu-Daudé
> > wrote:
> > >
> > > Per the "SD Host Controller Simplified Sp
d fd fd fd fd fd fd fd
> 0x0c2a7790: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> 0x0c2a77a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> 0x0c2a77b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes)
ur CI. There are
> borderline cases not representing proper use. Maybe we could run
> them weekly instead...
--
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0
Hello,
Any updates on this little patch? Please find below a reproducer for
this bug (thanks Alexander):
https://lists.nongnu.org/archive/html/qemu-devel/2021-01/msg02567.html
Thank you,
On Thu, Dec 24, 2020 at 6:55 PM Mauro Matteo Cascella
wrote:
>
> Ensure that 'cmd->fram
Public bug reported:
Two NULL pointer dereference issues were found in the am53c974 SCSI host
bus adapter emulation of QEMU. They could occur while handling the
'Information Transfer' command (CMD_TI) in function handle_ti() in
hw/scsi/esp.c, and could be abused by a malicious guest to crash the
Q
1 - 100 of 141 matches
Mail list logo
