Thanks for catching that. I went through the repro myself and arrived at the same root cause, but I missed that the original report's description of it was inaccurate and should have flagged that. Thanks for the review, I appreciate you taking the time to look into it.
пон, 22. јун 2026. у 12:18 Peter Maydell <[email protected]> је написао/ла: > On Sun, 14 Jun 2026 at 23:22, imaginos <[email protected]> wrote: > > > > The PMBus string registers (e.g. MFR_MODEL on the ADM1266) are writable > > by the guest. pmbus_receive_block() can fill the destination field > > completely, leaving no NUL terminator. When the value is later read back, > > pmbus_send_string() calls strlen() on it, which reads past the end of the > > array and returns a length that trips > > > > g_assert(len + pmdev->out_buf_len < SMBUS_DATA_MAX_LEN); > > > > aborting QEMU. This is guest-triggerable. > > > > Add pmbus_receive_string(), the write-side mirror of pmbus_send_string(), > > which reserves the last byte of the destination so the stored value is > > always NUL-terminated, and use it for the ADM1266 MFR string registers. > > > > Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3388 > > Signed-off-by: imaginos <[email protected]> > > Thanks for looking at this. Notably, the bug report in #3388 makes > a completely incorrect claim about what its repro case is actually > doing. The repro case does the "write 32 bytes to trash the NUL > terminator, then try to read back", which is what this patch addresses. > > I'll let the pmbus maintainers review the patch from a technical > point of view. > > -- PMM >
