On 20 November 2018 at 18:41, Paolo Bonzini wrote:
> Because the CMB BAR has a min_access_size of 2, if you read the last
> byte it will try to memcpy *2* bytes from n->cmbuf, causing an off-by-one
> error. This is CVE-2018-16847.
Maybe we should change the MemoryRegionOps API so that
devices
Hi,
This series seems to have some coding style problems. See output below for
more information:
Message-id: 20181120184148.22501-1-pbonz...@redhat.com
Type: series
Subject: [Qemu-devel] [PATCH] nvme: fix out-of-bounds access to the CMB
=== TEST SCRIPT BEGIN ===
#!/bin/bash
BASE=base
n=1
On 20/11/18 19:41, Paolo Bonzini wrote:
Because the CMB BAR has a min_access_size of 2, if you read the last
byte it will try to memcpy *2* bytes from n->cmbuf, causing an off-by-one
error. This is CVE-2018-16847.
Another way to fix this might be to register the CMB as a RAM memory
region,
