On 20 November 2018 at 18:41, Paolo Bonzini <pbonz...@redhat.com> wrote: > Because the CMB BAR has a min_access_size of 2, if you read the last > byte it will try to memcpy *2* bytes from n->cmbuf, causing an off-by-one > error. This is CVE-2018-16847.
Maybe we should change the MemoryRegionOps API so that devices have to explicitly opt in to handling accesses that span off the end of the region size they've registered? IIRC we have one or two oddball devices that care about that (probably mostly x86 IO port devices), but most device implementations will not be expecting it. I'm also surprised that the memory subsystem permits a 2 byte access at address sz-1 here, since .impl.unaligned is not set... thanks -- PMM
