[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH for-5.0] hw/i386/amd_iommu.c: Fix corruption of log events pa
|
From: |
Peter Maydell |
|
Subject: |
Re: [PATCH for-5.0] hw/i386/amd_iommu.c: Fix corruption of log events passed to guest |
|
Date: |
Thu, 26 Mar 2020 11:24:56 +0000 |
On Thu, 26 Mar 2020 at 11:12, Michael S. Tsirkin <address@hidden> wrote:
>
> On Thu, Mar 26, 2020 at 10:53:49AM +0000, Peter Maydell wrote:
> > In the function amdvi_log_event(), we write an event log buffer
> > entry into guest ram, whose contents are passed to the function
> > via the "uint64_t *evt" argument. Unfortunately, a spurious
> > '&' in the call to dma_memory_write() meant that instead of
> > writing the event to the guest we would write the literal value
> > of the pointer, plus whatever was in the following 8 bytes
> > on the stack. This error was spotted by Coverity.
> >
> > Fix the bug by removing the '&'.
> >
> > Fixes: CID 1421945
> > Cc: address@hidden
> > Signed-off-by: Peter Maydell <address@hidden>
>
> Acked-by: Michael S. Tsirkin <address@hidden>
>
> I think this is needed for stable as well.
Yep; I put in the Cc: stable tag but I see I forgot to cc them
on the patchmail.
> Do we want a CVE: this seems to leak pointer value to guest, defeating ASLR,
> right?
I asked Paolo privately before posting this and he felt it
didn't really need the CVE machinery. I don't have a strong
view personally.
thanks
-- PMM
- Re: [PATCH for-5.0] hw/i386/amd_iommu.c: Fix corruption of log events passed to guest,
Peter Maydell <=