在 2018/12/6 16:48, P J P 写道: > From: Prasad J Pandit <p...@fedoraproject.org> > > While performing block transfer write in smb_ioport_writeb(), > 'smb_index' is incremented and used to index smb_data[] array. > Check 'smb_index' value to avoid OOB access. > > Reported-by: Michael Hanselmann <pub...@hansmi.ch> > Signed-off-by: Prasad J Pandit <p...@fedoraproject.org> > --- > hw/i2c/pm_smbus.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/hw/i2c/pm_smbus.c b/hw/i2c/pm_smbus.c > index 685a2378ed..03062740cc 100644 > --- a/hw/i2c/pm_smbus.c > +++ b/hw/i2c/pm_smbus.c > @@ -240,6 +240,9 @@ static void smb_ioport_writeb(void *opaque, hwaddr addr, > uint64_t val, > uint8_t read = s->smb_addr & 0x01; > > s->smb_index++; > + if (s->smb_index >= PM_SMBUS_MAX_MSG_SIZE) { > + s->smb_index = 0; > + } > if (!read && s->smb_index == s->smb_data0) { > uint8_t prot = (s->smb_ctl >> 2) & 0x07; > uint8_t cmd = s->smb_cmd;
Oh... Finally another one find this..... I've already found this. This is very a serious security issue. I have wrote a full exploit to make a VM escape using this vulnerability. This guest can read/write a 4G memory of qemu process by default configuration. As far as I know, this vulnerability may be the most serious vulnerability of the qemu history. Please pay a lot of attention for this issue. Later I will release the full paper and exploit. It's not harm as this is introduced in 3.1 and no one use it now. Thanks, Li Qiang