From: Prasad J Pandit
create_cq and create_qp routines allocate ring object, but it's
not released in case of an error, leading to memory leakage.
Reported-by: Li Qiang
Signed-off-by: Prasad J Pandit
---
hw/rdma/vmw/pvrdma_cmd.c | 36 +---
1 file changed, 25
From: Prasad J Pandit
rdma back-end has scatter/gather array ibv_sge[MAX_SGE=4] set
to have 4 elements. A guest could send a 'PvrdmaSqWqe' ring element
with 'num_sge' set to > MAX_SGE, which may lead to OOB access issue.
Add check to avoid it.
Reported-by: Saar Amar
Signed-off-by: Prasad J
From: Prasad J Pandit
pvrdma_idx_ring_has_[data/space] routines also return invalid
index PVRDMA_INVALID_IDX[=-1], if ring has no data/space. Check
return value from these routines to avoid plausible infinite loops.
Reported-by: Li Qiang
Signed-off-by: Prasad J Pandit
---
Hello Yuval,
+-- On Sun, 16 Dec 2018, Yuval Shaia wrote --+
| With this patch the last step fails, the guest OS hangs, trying to probably
| unload pvrdma driver and finally gave up after 3 minutes.
Strange...
| Anyways with debug turned on i have noticed that there is one case that
|
Hello Yuval,
+-- On Tue, 11 Dec 2018, Yuval Shaia wrote --+
| > Ditto, here send rind and recv rings stays mapped.
| > Look at how QP's ring is destroyed in destroy_qp.
| >
| > For both case suggesting to define a new static function that destroy rings
| > and call it from both error flow of
+-- On Wed, 12 Dec 2018, P J P wrote --+
| | Also, can you rebase this patch on top of the patchset i posted last week:
| | https://patchwork.kernel.org/patch/10705439/
|
| Okay, I'll send revised patch set. Thanks so much for the prompt review.
I tried to git apply above patch-set over v3.1.0
From: Prasad J Pandit
pvrdma_idx_ring_has_[data/space] routines also return invalid
index PVRDMA_INVALID_IDX[=-1], if ring has no data/space. Check
return value from these routines to avoid plausible infinite loops.
Reported-by: Li Qiang
Signed-off-by: Prasad J Pandit
---
From: Prasad J Pandit
rdma back-end has scatter/gather array ibv_sge[MAX_SGE=4] set
to have 4 elements. A guest could send a 'PvrdmaSqWqe' ring element
with 'num_sge' set to > MAX_SGE, which may lead to OOB access issue.
Add check to avoid it.
Reported-by: Saar Amar
Signed-off-by: Prasad J
From: Prasad J Pandit
Define skeleton 'uar_read' routine. Avoid NULL dereference.
Reported-by: Li Qiang
Signed-off-by: Prasad J Pandit
---
hw/rdma/vmw/pvrdma_main.c | 6 ++
1 file changed, 6 insertions(+)
diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c
index
From: Prasad J Pandit
When creating CQ/QP rings, an object can have up to
PVRDMA_MAX_FAST_REG_PAGES=128 pages. Check 'npages' parameter
to avoid excessive memory allocation or a null dereference.
Reported-by: Li Qiang
Signed-off-by: Prasad J Pandit
---
hw/rdma/vmw/pvrdma_cmd.c | 11
From: Prasad J Pandit
create_cq and create_qp routines allocate ring object, but it's
not released in case of an error, leading to memory leakage.
Reported-by: Li Qiang
Signed-off-by: Prasad J Pandit
---
hw/rdma/vmw/pvrdma_cmd.c | 36 +---
1 file changed, 25
From: Prasad J Pandit
Replace VENDOR_ERR_NO_SGE macro with VENDOR_ERR_INV_NUM_SGE
to indicate invalid number of scatter/gather elements.
Signed-off-by: Prasad J Pandit
---
hw/rdma/rdma_backend.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/hw/rdma/rdma_backend.c
From: Prasad J Pandit
Hello,
This is a revised version v1 of the earlier patch set to fix issues
in the rdma/pvrdma backend.
Update to include review comments
-> https://lists.gnu.org/archive/html/qemu-devel/2018-12/msg02196.html
Please note, this patch is created after merging another
Hello Gerd,
+-- On Thu, 13 Dec 2018, Markus Armbruster wrote --+
| Gerd Hoffmann writes:
| > Open files and directories with O_NOFOLLOW to avoid symlinks attacks.
| > While being at it also add O_CLOEXEC.
| >
| > usb-mtp only handles regular files and directories and ignores
| > everything
From: Prasad J Pandit
When creating CQ/QP rings, an object can have up to
PVRDMA_MAX_FAST_REG_PAGES=128 pages. Check 'npages' parameter
to avoid excessive memory allocation or a null dereference.
Reported-by: Li Qiang
Signed-off-by: Prasad J Pandit
---
hw/rdma/vmw/pvrdma_cmd.c | 9 +
From: Prasad J Pandit
pvrdma_idx_ring_has_[data/space] routines also return invalid
index PVRDMA_INVALID_IDX[=-1], if ring has no data/space. Check
return value from these routines to avoid plausible infinite loops.
Reported-by: Li Qiang
Signed-off-by: Prasad J Pandit
---
From: Prasad J Pandit
create_cq and create_qp routines allocate ring object, but it's
not released in case of an error, leading to memory leakage.
Reported-by: Li Qiang
Signed-off-by: Prasad J Pandit
---
hw/rdma/vmw/pvrdma_cmd.c | 8 +++-
1 file changed, 7 insertions(+), 1 deletion(-)
From: Prasad J Pandit
Hello,
Various issues OOB access, null dereference and possible infinite loop were
reported in the rdma/pvrdma backends. This patch set attempts to fix these.
Thank you.
---
Prasad J Pandit (5):
rdma: check that num_sge does not exceed MAX_SGE
pvrdma: add uar_read
From: Prasad J Pandit
rdma back-end has scatter/gather array ibv_sge[MAX_SGE=4] set
to have 4 elements. A guest could send a 'PvrdmaSqWqe' ring element
with 'num_sge' set to > MAX_SGE, which may lead to OOB access issue.
Add check to avoid it.
Reported-by: Saar Amar
Signed-off-by: Prasad J
From: Prasad J Pandit
Define skeleton 'uar_read' routine. Avoid NULL dereference.
Reported-by: Li Qiang
Signed-off-by: Prasad J Pandit
---
hw/rdma/vmw/pvrdma_main.c | 6 ++
1 file changed, 6 insertions(+)
diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c
index
From: Prasad J Pandit
While performing block transfer write in smb_ioport_writeb(),
'smb_index' is incremented and used to index smb_data[] array.
Check 'smb_index' value to avoid OOB access.
Reported-by: Michael Hanselmann
Signed-off-by: Prasad J Pandit
---
hw/i2c/pm_smbus.c | 3 +++
1 file
+-- On Thu, 6 Dec 2018, Igor Mammedov wrote --+
| > From: Prasad J Pandit
| >
| > While performing block transfer write in smb_ioport_writeb(),
| > 'smb_index' is incremented and used to index smb_data[] array.
| > Check 'smb_index' value to avoid OOB access.
| >
| > Reported-by: Michael
+-- On Thu, 6 Dec 2018, Peter Maydell wrote --+
| > > Do we need patch v2, or it can be done while merging it?
| >
| > I can add in the Fixes line when I apply the patch to master.
|
| Oh, I think we should also add to the commit message something
| along the lines of:
|
| "Note that this bug is
+-- On Thu, 6 Dec 2018, P J P wrote --+
| | to clarify that this is a serious bug but also that it's
| | not one that will be affecting anybody's production systems.
|
| Okay, preparing patch v2...
Sent revised patch
[PATCH v1] i2c: pm_smbus: check smb_index before block transfer write
Thank
From: Prasad J Pandit
While performing block transfer write in smb_ioport_writeb(),
'smb_index' is incremented and used to index smb_data[] array.
Check 'smb_index' value to avoid OOB access.
Note that this bug is exploitable by a guest to escape
from the virtual machine. However the commit
+-- On Thu, 29 Nov 2018, Eric Blake wrote --+
| How important is this for 3.1? We've missed -rc3. Is this CVE quality
| because of a guest being able to cause mayhem by intentionally getting into
| this condition (in which case, we need it, as well as a CVE assigned)? Is it
| pre-existing in
From: Prasad J Pandit
While performing mmio device r/w operations, guest could set 'addr'
parameter such that 'locty' index exceeds TPM_TIS_NUM_LOCALITIES=5
after setting new 'locty' via 'tpm_tis_new_active_locality'.
Add check to avoid OOB access.
Reported-by: Cheng Feng
Signed-off-by: Prasad
Hello Stefan, Marc,
+-- On Tue, 20 Nov 2018, P J P wrote --+
| | On 11/20/18 2:22 AM, P J P wrote:
| | > From: Prasad J Pandit
| | > While performing mmio device r/w operations, guest could set 'addr'
| | > parameter such that 'locty' index exceeds TPM_TIS_NUM_LOCALITIES=5
| | > a
Hello Gerd,
+-- On Mon, 12 Nov 2018, Gerd Hoffmann wrote --+
| On Tue, Oct 30, 2018 at 09:23:40AM +0100, Gerd Hoffmann wrote:
| > Fixes: CVE-2018-???
| > Cc: P J P
|
| ping, do we have a cve number meanwhile?
No, the off-by-one does not seem to have an adverse effect. One byte past
AR
Hello Petr, Paolo,
+-- On Tue, 6 Nov 2018, Paolo Bonzini wrote --+
| On 06/11/2018 13:03, Peter Maydell wrote:
| > When can this masking have any effect? These functions are
| > the read and write ops for lsi_ram_ops, which we register with
| > memory_region_init_io(>ram_io, OBJECT(s),
e(),
| like in v9fs_rename().
|
| Impact: DoS triggered by unprivileged guest users.
|
| Cc: P J P
| Reported-by: zhibin hu
| Signed-off-by: Greg Kurz
| ---
| hw/9pfs/9p.c |3 +++
| 1 file changed, 3 insertions(+)
|
| diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
| index 267a25533b77..bdf7919ab
+-- On Mon, 19 Nov 2018, P J P wrote --+
| From: Prasad J Pandit
|
| The length parameter values are not negative, thus use an unsigned
| type 'size_t' for them. Many routines pass 'len' values to memcpy(3)
| calls. If it was negative, it could lead to memory corruption issues.
| Add check
+-- On Wed, 21 Nov 2018, Stefan Berger wrote --+
| I audited all functions yesterday and my proposed patches are on the mailing
| list. The abort related ones seem most critical but they are all passed values
| they can handle. I do not think that an out-of-bounds access can occur with
| the
Hello Stefan,
+-- On Tue, 20 Nov 2018, Stefan Berger wrote --+
| On 11/20/18 2:22 AM, P J P wrote:
| > From: Prasad J Pandit
| >
| > While performing mmio device r/w operations, guest could set 'addr'
| > parameter such that 'locty' index exceeds TPM_TIS_NUM_LOCALITIES=5
| > af
.
|
| It turns out that the same can happen at several locations where
| v9fs_path_copy() is used to set the fid path. The fix is again to
| take the write lock.
|
| Cc: P J P
| Reported-by: zhibin hu
| Signed-off-by: Greg Kurz
| ---
| hw/9pfs/9p.c | 15 +++
| 1 file changed, 15
From: Prasad J Pandit
The length parameter values are not negative, thus use an unsigned
type 'size_t' for them. Many routines pass 'len' values to memcpy(3)
calls. If it was negative, it could lead to memory corruption issues.
Add check to avoid it.
Reported-by: Arash TC
Signed-off-by: Prasad
+-- On Tue, 6 Nov 2018, Philippe Mathieu-Daudé wrote --+
| > @@ -113,6 +113,7 @@ static void vhci_host_send(void *opaque,
| > static uint8_t buf[4096];
| >
| > buf[0] = type;
| > +assert(len <= sizeof(buf) - 1);
|
| Why not simply "assert(len < sizeof(buf));"?
| > for
From: Prasad J Pandit
Qemu guest agent while executing user commands does not seem to
check length of argument list and/or environment variables passed.
It may lead to integer overflow or infinite loop issues. Add check
to avoid it.
Reported-by: Niu Guoxiang
Signed-off-by: Prasad J Pandit
---
Hello Mark,
+-- On Thu, 3 Jan 2019, Mark Cave-Ayland wrote --+
| > /* Power */
| > +static uint64_t power_mem_read(void *opaque, hwaddr addr, unsigned size)
| > +{
| > +return 0x;
| > +}
| > +
| >
| > static const MemoryRegionOps power_mem_ops = {
| > +.read =
+-- On Fri, 4 Jan 2019, Mark Cave-Ayland wrote --+
| I asked someone with real Ultra-5 hardware to check this for me, and they've
| sent me back the following output:
|
| ok .properties
| address fffb8000
| button
| interrupts 0001
| reg
From: Prasad J Pandit
Define skeleton 'power_mem_read' routine. Avoid NULL dereference.
Reported-by: Fakhri Zulkifli
Signed-off-by: Prasad J Pandit
---
hw/sparc64/sun4u.c | 6 ++
1 file changed, 6 insertions(+)
Update v1: change return value to zero(0)
->
From: Prasad J Pandit
While emulating identification protocol, tcp_emu() does not check
available space in the 'sc_rcv->sb_data' buffer. It could lead to
heap buffer overflow issue. Add check to avoid it.
Reported-by: Kira <864786...@qq.com>
Signed-off-by: Prasad J Pandit
---
slirp/tcp_subr.c
+-- On Fri, 11 Jan 2019, Marc-André Lureau wrote --+
| > +if (m->m_len > so_rcv->sb_datalen
| > +- (so_rcv->sb_wptr - so_rcv->sb_data)) {
| > +m_free(m);
| > +return 0;
| > +}
|
| Check looks correct, it should
+-- On Mon, 7 Jan 2019, P J P wrote --+
| Qemu guest agent while executing user commands does not seem to
| check length of argument list and/or environment variables passed.
| It may lead to integer overflow or infinite loop issues. Add check
| to avoid it.
|
| -size_t str_size = 1
From: Prasad J Pandit
While emulating identification protocol, tcp_emu() does not check
available space in the 'sc_rcv->sb_data' buffer. It could lead to
heap buffer overflow issue. Add check to avoid it.
Reported-by: Kira <864786...@qq.com>
Signed-off-by: Prasad J Pandit
---
slirp/tcp_subr.c
+-- On Fri, 11 Jan 2019, Marc-André Lureau wrote --+
| > | Check looks correct, it should probably return 1.
| >
| > Function comment says return 1 if 'm' is valid and should be appended via
| > sbappend(). Not sure if unprocessed 'm' should go to sbappend().
|
| If you look at the rest of the
+-- On Fri, 11 Jan 2019, Daniel P. Berrangé wrote --+
| qga/commands.c already includes qemu/osdep.h which includs unistd.h.
|
| The build problem patchew reported was from *mingw* builds where
| sysconf does not exist.
I see; Not sure how to fix it. Maybe with conditional declaration?
#ifdef
Hello David,
+-- On Mon, 25 Mar 2019, David Gibson wrote --+
| The only inherent limit to dtb size should be 2^31-1 bytes (the format
| uses signed 32-bit ints as offsets).
~2GB of dtb?! Seems quite big to specify the h/w that a kernel is
going to run/boot on.
| Indeed there shouldn't be
+-- On Mon, 25 Mar 2019, Peter Maydell wrote --+
| Noone has complained that it's too small because right now *we do not check
| against it* for the common case of "just load an external dtb".
|
| We should not be imposing an arbitrary limit within QEMU if we don't need
| to. Here, we do not
+-- On Mon, 18 Feb 2019, Philippe Mathieu-Daudé wrote --+
| On 2/15/19 11:59 AM, Marc-André Lureau wrote:
| Arash or Prasad can you help us here? Do you have a reproducer?
No, we don't have a reproducer handy I'm afraid.
Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69
+-- On Fri, 22 Mar 2019, Peter Maydell wrote --+
| This document is specific to aarch64, but the part of
| QEMU's device tree code being modified here is
| architecture independent.
|
| Cc'ing David Gibson who will probably know if there is
| an architecture-independent limit on DTB size we
From: Prasad J Pandit
Device tree blob(dtb) file can not be larger than 2MB in size.[*]
Add check to avoid loading large dtb files in load_device_tree(),
and potential integer(dt_size) overflow.
[*] linux.git/tree/Documentation/arm64/booting.txt
Reported-by: Kurtis Miller
Signed-off-by:
From: Prasad J Pandit
On ppc hosts, hypervisor shares following system attributes
- /proc/device-tree/system-id
- /proc/device-tree/model
with a guest. This could lead to information leakage and misuse.[*]
Add machine attributes to control such system information exposure
to a guest.
[*]
From: Prasad J Pandit
On ppc hosts, hypervisor shares following system attributes
- /proc/device-tree/system-id
- /proc/device-tree/model
with a guest. This could lead to information leakage and misuse.[*]
Add machine attributes to control such system information exposure
to a guest.
[*]
Hello Greg, Dan,
+-- On Mon, 18 Feb 2019, Greg Kurz wrote --+
| >>> +spapr->host_model = NULL;
| >>
| >> This isn't needed since object_initialize_with_type() already takes care
| >> of zeroing the instance for us.
| >>
| >>> +spapr->host_serial = NULL;
| >>
| >> Same here.
|
From: Prasad J Pandit
On ppc hosts, hypervisor shares following system attributes
- /proc/device-tree/system-id
- /proc/device-tree/model
with a guest. This could lead to information leakage and misuse.[*]
Add machine attributes to control such system information exposure
to a guest.
[*]
+-- On Wed, 13 Feb 2019, David Gibson wrote --+
| > +
| > +object_class_property_add_str(oc, "host-serial",
| > +machine_get_host_serial, machine_set_host_serial,
| > +_abort);
| > +object_class_property_set_description(oc, "host-serial",
| > +"Set host's system-id
+-- On Fri, 11 Jan 2019, Paolo Bonzini wrote --+
| diff --git a/hw/scsi/scsi-generic.c b/hw/scsi/scsi-generic.c
| index 7237b4162e..42700e8897 100644
| --- a/hw/scsi/scsi-generic.c
| +++ b/hw/scsi/scsi-generic.c
| @@ -182,7 +182,7 @@ static void scsi_handle_inquiry_reply(SCSIGenericReq *r,
From: Prasad J Pandit
On ppc hosts, hypervisor shares following system attributes
- /proc/device-tree/system-id
- /proc/device-tree/model
with a guest. This could lead to information leakage and misuse.[*]
Add machine attributes to control such system information exposure
to a guest.
[*]
+-- On Mon, 4 Feb 2019, David Gibson wrote --+
| I'm wondering if we can just ditch them entirely, or at least make
| them default to not present without regard to machine version.
Ie. make the default behaviour host-serial/host-model=NULL/none, instead of
'passthrough' now?
Thank you.
--
+-- On Thu, 24 Jan 2019, Michael Roth wrote --+
| I would call a helper function like get_args_max() or whatever and have
| the posix implementation in qga/commands-posix.c and a stub'd version
| in qga/commands-win32.c. There's an article here that might be useful
| for figuring out how we would
+-- On Mon, 4 Feb 2019, David Gibson wrote --+
| On Mon, Feb 04, 2019 at 11:40:46AM +0530, P J P wrote:
| > Ie. make the default behaviour host-serial/host-model=NULL/none, instead of
| > 'passthrough' now?
|
| Yes.
|
Okay, I'll send a revised patch. Thank you.
--
Prasad J Pandit / R
Hello Marc,
+-- On Thu, 23 May 2019, Marc-André Lureau wrote --+
| I don't see how you could exploit this today.
|
| QMP parser has MAX_TOKEN_COUNT (2ULL << 20).
I see, didn't realise that. I tried to reproduce it and
{"error": {"class": "GenericError", "desc": "JSON token count limit
+-- On Wed, 29 May 2019, Marc-André Lureau wrote --+
| assert() is good if it's a programming error: that is if it should never
| happen at run-time. It's a decent way to document the code.
True; But terminating server because a user sent more input parameters does
not sound good.
+-- On Wed, 29 May 2019, Marc-André Lureau wrote --+
| The error is handled before guest_exec_get_args(), isn't it?
Yes, which is okay I think.
| The qga commands are only called through QMP, afaik.
I see, cool! Thanks much for the confirmation.
Thank you.
--
Prasad J Pandit / Red Hat
+-- On Wed, 22 May 2019, Marc-André Lureau wrote --+
| On Sun, May 19, 2019 at 10:55 AM P J P wrote:
| > Qemu guest agent while executing user commands does not seem to
| > check length of argument list and/or environment variables passed.
| > It may lead to integer overflow or infi
From: Prasad J Pandit
Qemu guest agent while executing user commands does not seem to
check length of argument list and/or environment variables passed.
It may lead to integer overflow or infinite loop issues. Add check
to avoid it.
Reported-by: Niu Guoxiang
Signed-off-by: Prasad J Pandit
---
+-- On Thu, 25 Apr 2019, P J P wrote --+
| When releasing spice resources in release_resource() routine,
| if release info object 'ext.info' is null, it leads to null
| pointer dereference. Add check to avoid it.
|
| diff --git a/hw/display/qxl.c b/hw/display/qxl.c
| index c8ce5781e0..632923add2
+-- On Fri, 5 Jul 2019, Philippe Mathieu-Daudé wrote --+
| +static bool lqspi_accepts(void *opaque, hwaddr addr,
| + unsigned size, bool is_write,
| + MemTxAttrs attrs)
| +{
| +/*
| + * From UG1085, Chapter 24 (Quad-SPI controllers):
| +
+-- On Tue, 2 Jul 2019, P J P wrote --+
| |-netdev bridge,helper="/path/to/helper myarg otherarg"
| |
| | In theory any parts could contain shell meta characters, but even if
| | they don't we'll have slightly broken compat with this change.
|
| I wonder if anybody uses it like tha
From: Prasad J Pandit
The interface names in qemu-bridge-helper are defined to be
of size IFNAMSIZ(=16), including the terminating null('\0') byte.
The same is applied to interface names read from 'bridge.conf'
file to form ACLs rules. If user supplied '--br=bridge' name
is not restricted to the
+-- On Fri, 28 Jun 2019, Daniel P. Berrangé wrote --+
| Ok, so we should explicitly report an error if the user supplied bridge name
| is too long, not silently truncate it.
|
| We should also report an error if config file has too long a bridge name.
Okay, ie. report error and exit?
+-- On
+-- On Fri, 28 Jun 2019, Daniel P. Berrangé wrote --+
| Can you elaborate on the way to exploit this as I'm not seeing
| any way that doesn't involve mis-configuration of the ACL
| config file data.
True, it depends on having an 'allow all' rule. If the bridge.conf had an
'allow all' rule below
+-- On Wed, 3 Jul 2019, Daniel P. Berrangé wrote --+
| A supposed exploit of QEMU was recently announced as CVE-2019-12928
| claiming that the monitor console was insecure because the "migrate"
| command enabled arbitrary command execution for a remote attacker.
|
| To be a security risk the user
From: Prasad J Pandit
Define skeleton lqspi_write routine. Avoid NULL dereference.
Reported-by: Lei Sun
Signed-off-by: Prasad J Pandit
---
hw/ssi/xilinx_spips.c | 7 +++
1 file changed, 7 insertions(+)
diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
index
From: Prasad J Pandit
The network interface name in Linux is defined to be of size
IFNAMSIZ(=16), including the terminating null('\0') byte.
The same is applied to interface names read from 'bridge.conf'
file to form ACL rules. If user supplied '--br=bridge' name
is not restricted to the same
From: Prasad J Pandit
Refactor 'net_bridge_run_helper' routine to avoid buffer
formatting to prepare 'helper_cmd' and using shell to invoke
helper command. Instead directly execute helper program with
due arguments.
Signed-off-by: Prasad J Pandit
---
net/tap.c | 43
From: Prasad J Pandit
Move repeating error handling sequence in parse_acl_file routine
to an 'err' label.
Signed-off-by: Prasad J Pandit
---
qemu-bridge-helper.c | 18 --
1 file changed, 8 insertions(+), 10 deletions(-)
diff --git a/qemu-bridge-helper.c b/qemu-bridge-helper.c
From: Prasad J Pandit
Hello,
Linux net_deivce defines network interface name to be of IFNAMSIZE(=16)
bytes, including the terminating null('\0') byte.
Qemu tap deivce, while invoking 'qemu-bridge-helper' tool to set up the
network bridge interface, supplies bridge name of 16 characters, thus
From: Prasad J Pandit
Move repeating error handling sequence in parse_acl_file routine
to an 'err' label.
Signed-off-by: Prasad J Pandit
---
qemu-bridge-helper.c | 19 +--
1 file changed, 9 insertions(+), 10 deletions(-)
diff --git a/qemu-bridge-helper.c
From: Prasad J Pandit
Hello,
Linux net_deivce defines network interface name to be of IFNAMSIZE(=16)
bytes, including the terminating null('\0') byte.
Qemu tap deivce, while invoking 'qemu-bridge-helper' tool to set up the
network bridge interface, supplies bridge name of 16 characters, thus
+-- On Mon, 1 Jul 2019, Daniel P. Berrangé wrote --+
| > +if (strcmp(cmd, "include") && strlen(arg) >= IFNAMSIZ) {
| > +fprintf(stderr, "name `%s' too long: %lu\n", arg, strlen(arg));
|
| strlen returns size_t, which does not match %lu - it needs %zu - we can
| ignore the
From: Prasad J Pandit
The interface name in Linux interface request struct 'ifreq'
OR in qemu-bridge-helper is defined to be of size IFNAMSIZ(=16),
including the terminating null('\0') byte.
QEMU tap device, while invoking qemu-bridge-helper, supplies bridge
name of 16 characters, restrict it
From: Prasad J Pandit
The interface names in qemu-bridge-helper are defined to be
of size IFNAMSIZ(=16), including the terminating null('\0') byte.
The same is applied to interface names read from 'bridge.conf'
file to form ACLs rules. If user supplied '--br=bridge' name
is not restricted to the
+-- On Mon, 1 Jul 2019, Daniel P. Berrangé wrote --+
| Playing games with multiple "perfectly" sized static buffers & snprintf is
| madness. How about re-writing this method so that it just uses
| g_strdup_printf() to dynamically format the helper_cmd string.
|
| Alternatively we could get rid
From: Prasad J Pandit
When releasing spice resources in release_resource() routine,
if release info object 'ext.info' is null, it leads to null
pointer dereference. Add check to avoid it.
Reported-by: Bugs SysSec
Signed-off-by: Prasad J Pandit
---
hw/display/qxl.c | 3 +++
1 file changed, 3
+-- On Tue, 16 Jul 2019, John Snow wrote --+
| I also feel that a privileged DOS by a guest of a legacy device is actually
| low priority security-wise, unless we can demonstrate that there are side
| effects that can be exploited.
Right, we are not treating this as a CVE issue as is.
Hello Li,
+-- On Mon, 1 Jul 2019, Li Qiang wrote --+
| You do two things here(avoid buffer formatting and get rid of calling
| shell), I would suggest you split these into split patch.
Both are related, 'helper_cmd' formatting was used with the shell invocation
as:
helper_cmd =
Hello Dan,
+-- On Tue, 2 Jul 2019, Daniel P. Berrangé wrote --+
| The original code was passing through to the shell to handle the case
| where the user requested
|
|-netdev bridge,helper="/path/to/helper myarg otherarg"
|
| In theory any parts could contain shell meta characters, but
From: Prasad J Pandit
When executing script in lsi_execute_script(), the LSI scsi adapter
emulator advances 's->dsp' index to read next opcode. This can lead
to an infinite loop if the next opcode is empty. Exit such loop
after 10k iterations.
Reported-by: Bugs SysSec
Signed-off-by: Prasad J
+-- On Wed, 14 Aug 2019, Paolo Bonzini wrote --+
| On 14/08/19 12:25, P J P wrote:
| > Should I send a revised patch? (with above change)
|
| Yes, please.
Sent v4. Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
+-- On Tue, 13 Aug 2019, Paolo Bonzini wrote --+
| After the first instruction is processed, "again" is only reached if
| s->waiting == LSI_NOWAIT. Therefore, we could move the Windows hack to the
| beginning and remove the s->waiting condition. The only change would be
| that it would also
+-- On Fri, 9 Aug 2019, P J P wrote --+
| From: Prasad J Pandit
|
| When executing script in lsi_execute_script(), the LSI scsi
| adapter emulator advances 's->dsp' index to read next opcode.
| This can lead to an infinite loop if the next opcode is empty.
| Exit such loop after reading
+-- On Mon, 26 Aug 2019, Samuel Thibault wrote --+
| Philippe Mathieu-Daudé, le ven. 23 août 2019 17:15:32 +0200, a ecrit:
| > > Did you make your test with commit 126c04acbabd ("Fix heap overflow in
| > > ip_reass on big packet input") applied?
| >
| > Yes, unfortunately it doesn't fix the
+-- On Wed, 31 Jul 2019, Jason Wang wrote --+
| On 2019/7/29 下午11:04, Stefan Hajnoczi wrote:
| > This change isn't related to the topic of the patch. It's a separate bug
| > fix.
| >
| > Please either document it in the commit description so it's clear the
| > change is intentional, or send it
+-- On Wed, 31 Jul 2019, Jason Wang wrote --+
| The series has been merged. Just need a patch on top and I can queue it for
| next release.
Sent patch v5. Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
From: Prasad J Pandit
When invoking qemu-bridge-helper in 'net_bridge_run_helper',
instead of using fixed sized buffers, use dynamically allocated
ones initialised and returned by g_strdup_printf().
If bridge name 'br_buf' is undefined, pass empty string ("") to
g_strdup_printf() in its place,
From: Prasad J Pandit
When executing script in lsi_execute_script(), the LSI scsi
adapter emulator advances 's->dsp' index to read next opcode.
This can lead to an infinite loop if the next opcode is empty.
Exit such loop after reading 10k empty opcodes.
Reported-by: Bugs SysSec
Signed-off-by:
From: Prasad J Pandit
AHCI emulator while committing DMA buffer in ahci_commit_buf()
may do a NULL dereference if the command header 'ad->cur_cmd'
is null. Add check to avoid it.
Reported-by: Bugs SysSec
Signed-off-by: Prasad J Pandit
---
hw/ide/ahci.c | 6 --
1 file changed, 4
From: Prasad J Pandit
When executing script in lsi_execute_script(), the LSI scsi
adapter emulator advances 's->dsp' index to read next opcode.
This can lead to an infinite loop if the next opcode is empty.
Exit such loop after reading 10k empty opcodes.
Reported-by: Bugs SysSec
Signed-off-by:
501 - 600 of 912 matches
Mail list logo