On 22/07/2015 16:27, Daniel P. Berrange wrote: > On Wed, Jul 22, 2015 at 04:18:00PM +0200, Paolo Bonzini wrote: > > This is a guest-triggerable buffer overflow present in QEMU 2.2.0 > > and newer. scsi_cdb_length returns -1 as an error value, but the > > caller does not check it. > > > > Luckily, the massive overflow means that QEMU will just SIGSEGV, > > making the impact much smaller. > > FWIW, would be nice to mention which disk frontends could trigger > this bug. eg was it all of the devices in hw/scsi/ or just a subset ?
All of them. Paolo
