[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH for-5.0] hw/i386/amd_iommu.c: Fix corruption of log events pa
Michael S. Tsirkin
Re: [PATCH for-5.0] hw/i386/amd_iommu.c: Fix corruption of log events passed to guest
Thu, 26 Mar 2020 10:30:23 -0400
On Thu, Mar 26, 2020 at 11:24:56AM +0000, Peter Maydell wrote:
> On Thu, 26 Mar 2020 at 11:12, Michael S. Tsirkin <address@hidden> wrote:
> > On Thu, Mar 26, 2020 at 10:53:49AM +0000, Peter Maydell wrote:
> > > In the function amdvi_log_event(), we write an event log buffer
> > > entry into guest ram, whose contents are passed to the function
> > > via the "uint64_t *evt" argument. Unfortunately, a spurious
> > > '&' in the call to dma_memory_write() meant that instead of
> > > writing the event to the guest we would write the literal value
> > > of the pointer, plus whatever was in the following 8 bytes
> > > on the stack. This error was spotted by Coverity.
> > >
> > > Fix the bug by removing the '&'.
> > >
> > > Fixes: CID 1421945
> > > Cc: address@hidden
> > > Signed-off-by: Peter Maydell <address@hidden>
> > Acked-by: Michael S. Tsirkin <address@hidden>
> > I think this is needed for stable as well.
> Yep; I put in the Cc: stable tag but I see I forgot to cc them
> on the patchmail.
> > Do we want a CVE: this seems to leak pointer value to guest, defeating
> > ASLR, right?
> I asked Paolo privately before posting this and he felt it
> didn't really need the CVE machinery. I don't have a strong
> view personally.
> -- PMM
I tagged this now, thanks!