Weil ,Peter Maydell
,朱东海(启路) Subject:Re:
[Qemu-devel] [PATCH for v2.3.0] fw_cfg: add check to validate current entry
value+-- On Tue, 5 Jan 2016, P J P wrote --+| An OOB r/w access issue was
reported by Mr Donghai Zdh, CC'd here.Mr Donghai CC'd now.--Prasad J Pandit /
Red Hat Produc
+-- On Wed, 6 Jan 2016, 朱东海(启路) wrote --+
| Hi, Will you assign a cve to this vulnerability.
Yes, I will once the patch is approved upstream.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
+-- On Tue, 5 Jan 2016, Stefan Weil wrote --+
| > -s->cur_offset < e->len) {
| > +if (s->cur_entry != FW_CFG_INVALID
| > +&& s->cur_entry & FW_CFG_WRITE_CHANNEL
| > +&& e->callback
| > +&& s->cur_offset < e->len) {
|
| I suggest to test e != NULL instead of s->c
Am 05.01.2016 um 15:55 schrieb P J P:
> From: Prasad J Pandit
>
> When processing firmware configurations, an OOB r/w access occurs
> if 's->cur_entry' is set to be invalid(FW_CFG_INVALID=0x).
> Add a check to validate 's->cur_entry' to avoid such access.
>
> Reported-by: Donghai Zdh
> Sign
+-- On Tue, 5 Jan 2016, P J P wrote --+
| An OOB r/w access issue was reported by Mr Donghai Zdh, CC'd here.
Mr Donghai CC'd now.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
From: Prasad J Pandit
When processing firmware configurations, an OOB r/w access occurs
if 's->cur_entry' is set to be invalid(FW_CFG_INVALID=0x).
Add a check to validate 's->cur_entry' to avoid such access.
Reported-by: Donghai Zdh
Signed-off-by: Prasad J Pandit
---
hw/nvram/fw_cfg.c | 1
From: Prasad J Pandit
Hello,
An OOB r/w access issue was reported by Mr Donghai Zdh, CC'd here. It occurs
while processing firmware configurations in Qemu versions prior to 2.4. The
OOB memory access crashes the Qemu process on the host.
Please see below a (tested)patch to fix this issue. Does
