An off-by-one error in a switch case in onenand_read() allowed a misbehaving guest to read off the end of a block of memory.
NB: the onenand device is used only by the "n800" and "n810" machines, which are usable only with TCG, not KVM, so this is not a security issue. Reported-by: Thomas Huth <th...@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <phi...@redhat.com> Reviewed-by: Richard Henderson <richard.hender...@linaro.org> Signed-off-by: Peter Maydell <peter.mayd...@linaro.org> Message-id: 20181115143535.5885-2-peter.mayd...@linaro.org Suggested-by: Richard Henderson <richard.hender...@linaro.org> Signed-off-by: Peter Maydell <peter.mayd...@linaro.org> --- hw/block/onenand.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/block/onenand.c b/hw/block/onenand.c index 0cb8d7fa135..49ef68c9b14 100644 --- a/hw/block/onenand.c +++ b/hw/block/onenand.c @@ -608,7 +608,7 @@ static uint64_t onenand_read(void *opaque, hwaddr addr, int offset = addr >> s->shift; switch (offset) { - case 0x0000 ... 0xc000: + case 0x0000 ... 0xbffe: return lduw_le_p(s->boot[0] + addr); case 0xf000: /* Manufacturer ID */ -- 2.19.1