On Sun, 14 Jun 2026 at 23:22, imaginos <[email protected]> wrote: > > The PMBus string registers (e.g. MFR_MODEL on the ADM1266) are writable > by the guest. pmbus_receive_block() can fill the destination field > completely, leaving no NUL terminator. When the value is later read back, > pmbus_send_string() calls strlen() on it, which reads past the end of the > array and returns a length that trips > > g_assert(len + pmdev->out_buf_len < SMBUS_DATA_MAX_LEN); > > aborting QEMU. This is guest-triggerable. > > Add pmbus_receive_string(), the write-side mirror of pmbus_send_string(), > which reserves the last byte of the destination so the stored value is > always NUL-terminated, and use it for the ADM1266 MFR string registers. > > Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3388 > Signed-off-by: imaginos <[email protected]>
Thanks for looking at this. Notably, the bug report in #3388 makes a completely incorrect claim about what its repro case is actually doing. The repro case does the "write 32 bytes to trash the NUL terminator, then try to read back", which is what this patch addresses. I'll let the pmbus maintainers review the patch from a technical point of view. -- PMM
