On Mon, 2024-06-17 at 15:15 +0100, Peter Maydell wrote:
> On Mon, 17 Jun 2024 at 14:46, David Woodhouse wrote:
> >
> > From: David Woodhouse
> >
> > In e820_add_entry() the e820_table is reallocated with g_renew() to make
> > space for a new entry. However, fw_cfg_arch_create() just uses the
On Mon, 17 Jun 2024 at 14:46, David Woodhouse wrote:
>
> From: David Woodhouse
>
> In e820_add_entry() the e820_table is reallocated with g_renew() to make
> space for a new entry. However, fw_cfg_arch_create() just uses the existing
> e820_table pointer.
>
> This leads to a use-after-free if
From: David Woodhouse
In e820_add_entry() the e820_table is reallocated with g_renew() to make
space for a new entry. However, fw_cfg_arch_create() just uses the existing
e820_table pointer.
This leads to a use-after-free if anything adds a new entry after fw_cfg
is set up. Shift the addition
