On 3/24/21 4:53 PM, Alexander Bulekov wrote: > Hi, > I can still trigger stack-overflows, heap-UAFs and heap-overflows in the > code, but Mark's patches fixed some of the issues. I didn't want to > flood the issue-tracker with further problems in this code, since it > isn't clear what the security expectations are for this device. Of > course it is only a matter of time until someone sends more reports to > qemu-security.
I'd expect qemu-security to have a template "Thank you for your bug but this device is not within the 'security' boundary, we will forward your report to the community". > > Mark, do you want me to provide more reproducers for this device? Surely Mark prefers you provide bugfixes instead :D Phil.