Re: [Qemu-devel] [PATCH for-3.1] nvme: fix out-of-bounds access to the CMB

2018-11-20 Thread Paolo Bonzini
On 19/11/18 18:43, Kevin Wolf wrote: > Am 19.11.2018 um 18:09 hat Paolo Bonzini geschrieben: >> On 19/11/18 16:23, Mark Kanda wrote: >>> For CVE-2018-16847, I just noticed Kevin pulled in Li's previous fix (as >>> opposed to this one). Was this done in error? >> >> Probably. Kevin, can you revert

Re: [Qemu-devel] [PATCH for-3.1] nvme: fix out-of-bounds access to the CMB

2018-11-19 Thread Kevin Wolf
Am 19.11.2018 um 18:09 hat Paolo Bonzini geschrieben: > On 19/11/18 16:23, Mark Kanda wrote: > > For CVE-2018-16847, I just noticed Kevin pulled in Li's previous fix (as > > opposed to this one). Was this done in error? > > Probably. Kevin, can you revert and apply this one instead? I don't > ca

Re: [Qemu-devel] [PATCH for-3.1] nvme: fix out-of-bounds access to the CMB

2018-11-19 Thread Paolo Bonzini
On 19/11/18 16:23, Mark Kanda wrote: > For CVE-2018-16847, I just noticed Kevin pulled in Li's previous fix (as > opposed to this one). Was this done in error? Probably. Kevin, can you revert and apply this one instead? I don't care if 3.1 or 3.2, but the previous fix is pointless complication.

Re: [Qemu-devel] [PATCH for-3.1] nvme: fix out-of-bounds access to the CMB

2018-11-19 Thread Mark Kanda
For CVE-2018-16847, I just noticed Kevin pulled in Li's previous fix (as opposed to this one). Was this done in error? Thanks, -Mark On 11/16/2018 3:31 AM, Paolo Bonzini wrote: Because the CMB BAR has a min_access_size of 2, if you read the last byte it will try to memcpy *2* bytes from n->cm

Re: [Qemu-devel] [PATCH for-3.1] nvme: fix out-of-bounds access to the CMB

2018-11-16 Thread no-reply
Hi, This series seems to have some coding style problems. See output below for more information: Message-id: 20181116093152.27227-1-pbonz...@redhat.com Type: series Subject: [Qemu-devel] [PATCH for-3.1] nvme: fix out-of-bounds access to the CMB === TEST SCRIPT BEGIN === #!/bin/bash BASE=base n

Re: [Qemu-devel] [PATCH for-3.1] nvme: fix out-of-bounds access to the CMB

2018-11-16 Thread Li Qiang
Paolo Bonzini 于2018年11月16日周五 下午5:31写道: > Because the CMB BAR has a min_access_size of 2, if you read the last > byte it will try to memcpy *2* bytes from n->cmbuf, causing an off-by-one > error. This is CVE-2018-16847. > > Another way to fix this might be to register the CMB as a RAM memory > re

[Qemu-devel] [PATCH for-3.1] nvme: fix out-of-bounds access to the CMB

2018-11-16 Thread Paolo Bonzini
Because the CMB BAR has a min_access_size of 2, if you read the last byte it will try to memcpy *2* bytes from n->cmbuf, causing an off-by-one error. This is CVE-2018-16847. Another way to fix this might be to register the CMB as a RAM memory region, which would also be more efficient. However,