On 06.12.18 09:48, P J P wrote: > While performing block transfer write in smb_ioport_writeb(), > 'smb_index' is incremented and used to index smb_data[] array. > Check 'smb_index' value to avoid OOB access. > > Reported-by: Michael Hanselmann <pub...@hansmi.ch>
Considering that Li Qiang had already published his exploit for a couple of hours (at the time of writing the URL is returning an HTTP 404 though I'd seen it earlier) and with the patch being public I decided to also publish my report: https://hansmi.ch/articles/2018-12-qemu-pm-smbus-oob I'd like to thank Prasad and his colleagues at Red Hat for the quick response to my report (patch committed within less than 18 hours). Best regards, Michael -- https://hansmi.ch/
signature.asc
Description: OpenPGP digital signature
