From: Prasad J Pandit
Disable rarely used sdhci-pci device build by default.
Suggested-by: Stefan Hajnoczi
Signed-off-by: Prasad J Pandit
---
hw/sd/Kconfig | 1 -
1 file changed, 1 deletion(-)
diff --git a/hw/sd/Kconfig b/hw/sd/Kconfig
index c5e1e5581c..93dea61285 100644
--- a/hw/sd/Kconfig
+-- On Wed, 20 May 2020, Philippe Mathieu-Daudé wrote --+
| Prasad, I once tried to remove it, and Kevin said he was using it:
|
| https://lists.nongnu.org/archive/html/qemu-devel/2017-12/msg02765.html
|
| I do find qemu's PCI SDHCI support useful for testing.
| SeaBIOS can launch an OS from
From: Prasad J Pandit
While reading PCI configuration bytes, a guest may send an
address towards the end of the configuration space. It may lead
to an OOB access issue. Add check to ensure 'address + len' is
within PCI configuration space.
Reported-by: Ren Ding
Reported-by: Hanqing Zhao
Report
From: Prasad J Pandit
While accessing VGA registers via ati_mm_read/write routines,
a guest may set 's->regs.mm_index' such that it leads to infinite
recursion. Increment the mm_index value to avoid it.
Reported-by: Ren Ding
Reported-by: Hanqing Zhao
Reported-by: Yi Ren
Signed-off-by: Prasad
+-- On Wed, 3 Jun 2020, Gerd Hoffmann wrote --+
| Hmm, why modify mm_index? Shouldn't we just check it is non-zero
| before calling ati_mm_read/ati_mm_write?
if (s->regs.mm_index & BIT(31)) {
...
} else {
ati_mm_write(s, s->regs.mm_index + addr - MM_DATA, data, size);
}
Exit cond
From: Prasad J Pandit
While accessing VGA registers via ati_mm_read/write routines,
a guest may set 's->regs.mm_index' such that it leads to infinite
recursion. Check mm_index value to avoid it.
Reported-by: Ren Ding
Reported-by: Hanqing Zhao
Reported-by: Yi Ren
Signed-off-by: Prasad J Pandit
+-- On Wed, 3 Jun 2020, BALATON Zoltan wrote --+
| or even > MM_DATA + 3 may be best as that only refers to defines used in
| that case. So maybe
|
| + } else if (s->regs.mm_index > MM_DATA + 3) {
| > ati_mm_write(s, s->regs.mm_index + addr - MM_DATA, data, size);
| > }
| >
| > and do the s
From: Prasad J Pandit
Hello,
This patch series fixes
1. While reading PCI configuration bytes, a guest may send an address towards
the end of the configuration space. It may lead to an OOB access issue.
Add check to ensure 'addr + size' is within bounds.
2. Assert that PCI configuration
From: Prasad J Pandit
While reading PCI configuration bytes, a guest may send an
address towards the end of the configuration space. It may lead
to an OOB access issue. Assert that 'address + len' is within
PCI configuration space.
Suggested-by: Philippe Mathieu-Daudé
Signed-off-by: Prasad J Pa
From: Prasad J Pandit
While reading PCI configuration bytes, a guest may send an
address towards the end of the configuration space. It may lead
to an OOB access issue. Add check to ensure 'address + size' is
within PCI configuration space.
Reported-by: Ren Ding
Reported-by: Hanqing Zhao
Repor
+-- On Thu, 4 Jun 2020, BALATON Zoltan wrote --+
| On Thu, 4 Jun 2020, P J P wrote:
| > +assert(address + len <= pci_config_size(d));
|
| Does this allow guest now to crash QEMU?
Yes, possible. Such crash (assert failure) can be a regular bug, as reading
PCI configuration is li
From: Prasad J Pandit
While accessing VGA registers via ati_mm_read/write routines,
a guest may set 's->regs.mm_index' such that it leads to infinite
recursion. Check mm_index value to avoid such recursion. Log an
error message for wrong values.
Reported-by: Ren Ding
Reported-by: Hanqing Zhao
qemu_log_mask(LOG_GUEST_ERROR, ...
+-- On Thu, 4 Jun 2020, Daniel P. Berrangé wrote --+
| On Thu, Jun 04, 2020 at 12:25:22AM +0530, P J P wrote:
| > While accessing VGA registers via ati_mm_read/write routines,
| > a guest may set 's->regs.mm_index' such that it leads to i
rs and fix them first, then we can safely add the assert here.
That's an elaborate task. Could we please make that into another patch series?
+-- On Thu, 4 Jun 2020, Daniel P. Berrangé wrote --+
| On Thu, Jun 04, 2020 at 01:52:50AM +0530, P J P wrote:
| > While reading PCI configuration byt
From: Prasad J Pandit
While reading PCI configuration bytes, a guest may send an
address towards the end of the configuration space. It may lead
to an OOB access issue. Add check to ensure 'address + size' is
within PCI configuration space.
Reported-by: Ren Ding
Reported-by: Hanqing Zhao
Repor
From: Prasad J Pandit
While accessing PCI configuration bytes, assert that
'address + len' is within PCI configuration space.
Generally it is within bounds. This is more of a defensive
assert, in case a buggy device was to send 'address' which
may go out of bounds.
Suggested-by: Philippe Mathie
Public bug reported:
Nathan Huckleberry has reported following issues in
the block/vvfat driver for the virtual VFAT file system image, used to
share a host system directory with a guest VM.
Please note:
-> https://www.qemu.org/docs/master/system/images.html#virtual-fat-disk-images
Virtual VF
Hello,
+-- On Thu, 21 May 2020, Paolo Bonzini wrote --+
| I think the code here was expecting frame_size_p to be 0 if cmd->frame is
| NULL. Can you check why this is not the case, or whether it ever was the
| case?
static MegasasCmd *megasas_enqueue_frame(MegasasState *s, hwaddr frame,
.
From: Prasad J Pandit
When mapping physical memory into host's virtual address space,
'address_space_map' may return NULL if BounceBuffer is in_use.
Set and return '*plen = 0' to avoid later NULL pointer dereference.
Reported-by: Alexander Bulekov
Fixes: https://bugs.launchpad.net/qemu/+bug/187
+-- On Tue, 26 May 2020, Peter Maydell wrote --+
| The doc comment for this function in include/exec/memory.h currently says
|
| "May return %NULL if resources needed to perform the mapping
| are exhausted."
|
| If we're tightening the API to guarantee to also set *plen to 0 in this
| failure c
From: Prasad J Pandit
When mapping physical memory into host's virtual address space,
'address_space_map' may return NULL if BounceBuffer is in_use.
Set and return '*plen = 0' to avoid later NULL pointer dereference.
Reported-by: Alexander Bulekov
Fixes: https://bugs.launchpad.net/qemu/+bug/187
*** This bug is a security vulnerability ***
Public security bug reported:
An out-of-bounds read access issue was found in the SD Memory Card
emulator of the QEMU. It occurs while performing block write commands
via sdhci_write(), if a guest user has sent 'address' which is OOB of
's->wp_groups'.
#!/bin/sh
cat << EOF > inp
outl 0xcf8 0x80001810
outl 0xcfc 0xe1068000
outl 0xcf8 0x80001814
outl 0xcf8 0x80001804
outw 0xcfc 0x7
outl 0xcf8 0x8000fa20
write 0xe106802c 0x1 0x6d
write 0xe106800f 0x1 0xf7
write 0xe106800a 0x6 0x9b4b9b5a9b69
write 0xe1068028 0x3 0x6d6d6d
write 0xe106800f 0x1 0x02
wr
This bug and the reproducer above is shared by - Alexander Bulekov
Upstream patch thread
-> https://lists.gnu.org/archive/html/qemu-devel/2020-05/msg05877.html
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad
Upstream patch
-> https://lists.gnu.org/archive/html/qemu-devel/2020-05/msg07313.html
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1878259
Title:
Null-pointer dereference in megasas_handle_frame
From: Prasad J Pandit
While doing msi-x mmio operations, a guest may send an address
that leads to an OOB access issue. Add valid.accepts methods to
ensure that ensuing mmio r/w operation don't go beyond regions.
Reported-by: Ren Ding
Reported-by: Hanqing Zhao
Reported-by: Anatoly Trosinenko
+-- On Mon, 1 Jun 2020, Michael S. Tsirkin wrote --+
| IMHO this is just messed up, memory core needs to guarantee this.
| I'm working on a patch to do that.
Okay. Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D
+-- On Mon, 1 Jun 2020, Philippe Mathieu-Daudé wrote --+
| Fixes: CVE-2020-x
'CVE-2020-13754' assigned to this issue by Mitre.
-> https://bugzilla.redhat.com/show_bug.cgi?id=1842363
Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
8685 545E B54C 486B C6EB 271E E285 8B5A F050 D
", nchunks,
>length);
>+ return NULL;
>+ }
>+
> dir = rdma_pci_dma_map(pdev, pdir_dma, TARGET_PAGE_SIZE);
> if (!dir) {
> rdma_error_report("Failed to map to page directory");
>
Looks okay.
Reviewed-by: Prasad J Pandit
Thank you.
---
-P J P
http://feedmug.com
;struct type'
field.
* Does adding a field to struct type (ex. DeviceClass) scale to all
objects/modules/backends etc?
Does it have any limitations to include/cover other sources/objects?
* I'd really appreciate any feedback/inputs/suggestions you may have.
Thank you.
---
-P J P
http://feedmug.com
Hello Marc,
+-- On Thu, 23 May 2019, Marc-André Lureau wrote --+
| I don't see how you could exploit this today.
|
| QMP parser has MAX_TOKEN_COUNT (2ULL << 20).
I see, didn't realise that. I tried to reproduce it and
{"error": {"class": "GenericError", "desc": "JSON token count limit
exc
+-- On Wed, 29 May 2019, Marc-André Lureau wrote --+
| assert() is good if it's a programming error: that is if it should never
| happen at run-time. It's a decent way to document the code.
True; But terminating server because a user sent more input parameters does
not sound good.
{"error":
+-- On Wed, 29 May 2019, Marc-André Lureau wrote --+
| The error is handled before guest_exec_get_args(), isn't it?
Yes, which is okay I think.
| The qga commands are only called through QMP, afaik.
I see, cool! Thanks much for the confirmation.
Thank you.
--
Prasad J Pandit / Red Hat Product
+-- On Tue, 16 Jul 2019, John Snow wrote --+
| I also feel that a privileged DOS by a guest of a legacy device is actually
| low priority security-wise, unless we can demonstrate that there are side
| effects that can be exploited.
Right, we are not treating this as a CVE issue as is. Privileged
From: Prasad J Pandit
Hello,
Linux net_deivce defines network interface name to be of IFNAMSIZE(=16)
bytes, including the terminating null('\0') byte.
Qemu tap deivce, while invoking 'qemu-bridge-helper' tool to set up the
network bridge interface, supplies bridge name of 16 characters, thus
al
From: Prasad J Pandit
The network interface name in Linux is defined to be of size
IFNAMSIZ(=16), including the terminating null('\0') byte.
The same is applied to interface names read from 'bridge.conf'
file to form ACL rules. If user supplied '--br=bridge' name
is not restricted to the same len
From: Prasad J Pandit
When invoking qemu-bridge-helper in 'net_bridge_run_helper',
instead of using fixed sized buffers, use dynamically allocated
ones initialised and returned by g_strdup_printf().
Signed-off-by: Prasad J Pandit
---
net/tap.c | 19 +++
1 file changed, 11 inser
From: Prasad J Pandit
Move repeating error handling sequence in parse_acl_file routine
to an 'err' label.
Signed-off-by: Prasad J Pandit
---
qemu-bridge-helper.c | 19 +--
1 file changed, 9 insertions(+), 10 deletions(-)
Reviewed v3:
-> https://lists.nongnu.org/archive/html/
+-- On Tue, 23 Jul 2019, Li Qiang wrote --+
| Stefan Hajnoczi 于2019年7月23日周二 下午9:03写道:
| > On Tue, Jul 23, 2019 at 04:17:54PM +0530, P J P wrote:
| > > -snprintf(helper_cmd, sizeof(helper_cmd), "%s %s %s %s",
| > > - helper, &qu
Hello Jason,
+-- On Thu, 25 Jul 2019, Jason Wang wrote --+
| > URL:https://patchew.org/QEMU/20190723104754.29324-1-ppan...@redhat.com/
|
| Prasad, this looks unrelated to the series? Please double check.
Yes, it is unrelated. Not sure how it gets triggered.
Thank you.
--
Prasad J Pandit / Red
+-- On Wed, 3 Jul 2019, Daniel P. Berrangé wrote --+
| A supposed exploit of QEMU was recently announced as CVE-2019-12928
| claiming that the monitor console was insecure because the "migrate"
| command enabled arbitrary command execution for a remote attacker.
|
| To be a security risk the user
From: Prasad J Pandit
Define skeleton lqspi_write routine. Avoid NULL dereference.
Reported-by: Lei Sun
Signed-off-by: Prasad J Pandit
---
hw/ssi/xilinx_spips.c | 7 +++
1 file changed, 7 insertions(+)
diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
index 8115bb6d46..0836b8977
+-- On Wed, 3 Jul 2019, no-re...@patchew.org wrote --+
| Patchew URL:
https://patchew.org/QEMU/20190703190615.31436-1-ppan...@redhat.com/
|
| This series failed the asan build test. Please find the testing commands and
| their output below. If you have Docker installed, you can probably reproduce
+-- On Fri, 5 Jul 2019, Philippe Mathieu-Daudé wrote --+
| +static bool lqspi_accepts(void *opaque, hwaddr addr,
| + unsigned size, bool is_write,
| + MemTxAttrs attrs)
| +{
| +/*
| + * From UG1085, Chapter 24 (Quad-SPI controllers):
| +
+-- On Tue, 2 Jul 2019, P J P wrote --+
| |-netdev bridge,helper="/path/to/helper myarg otherarg"
| |
| | In theory any parts could contain shell meta characters, but even if
| | they don't we'll have slightly broken compat with this change.
|
| I wonder if anybody uses i
+-- On Mon, 18 Feb 2019, Philippe Mathieu-Daudé wrote --+
| On 2/15/19 11:59 AM, Marc-André Lureau wrote:
| Arash or Prasad can you help us here? Do you have a reproducer?
No, we don't have a reproducer handy I'm afraid.
Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90
From: Prasad J Pandit
When releasing spice resources in release_resource() routine,
if release info object 'ext.info' is null, it leads to null
pointer dereference. Add check to avoid it.
Reported-by: Bugs SysSec
Signed-off-by: Prasad J Pandit
---
hw/display/qxl.c | 3 +++
1 file changed, 3 i
From: Prasad J Pandit
On ppc hosts, hypervisor shares following system attributes
- /proc/device-tree/system-id
- /proc/device-tree/model
with a guest. This could lead to information leakage and misuse.[*]
Add machine attributes to control such system information exposure
to a guest.
[*] h
+-- On Mon, 4 Feb 2019, David Gibson wrote --+
| I'm wondering if we can just ditch them entirely, or at least make
| them default to not present without regard to machine version.
Ie. make the default behaviour host-serial/host-model=NULL/none, instead of
'passthrough' now?
Thank you.
--
Prasad
+-- On Mon, 4 Feb 2019, David Gibson wrote --+
| On Mon, Feb 04, 2019 at 11:40:46AM +0530, P J P wrote:
| > Ie. make the default behaviour host-serial/host-model=NULL/none, instead of
| > 'passthrough' now?
|
| Yes.
|
Okay, I'll send a revised patch. Thank you.
--
Pras
From: Prasad J Pandit
Device tree blob(dtb) file can not be larger than 2MB in size.[*]
Add check to avoid loading large dtb files in load_device_tree(),
and potential integer(dt_size) overflow.
[*] linux.git/tree/Documentation/arm64/booting.txt
Reported-by: Kurtis Miller
Signed-off-by: Prasad
+-- On Fri, 22 Mar 2019, Peter Maydell wrote --+
| This document is specific to aarch64, but the part of
| QEMU's device tree code being modified here is
| architecture independent.
|
| Cc'ing David Gibson who will probably know if there is
| an architecture-independent limit on DTB size we should
Hello David,
+-- On Mon, 25 Mar 2019, David Gibson wrote --+
| The only inherent limit to dtb size should be 2^31-1 bytes (the format
| uses signed 32-bit ints as offsets).
~2GB of dtb?! Seems quite big to specify the h/w that a kernel is
going to run/boot on.
| Indeed there shouldn't be any
+-- On Mon, 25 Mar 2019, Peter Maydell wrote --+
| Noone has complained that it's too small because right now *we do not check
| against it* for the common case of "just load an external dtb".
|
| We should not be imposing an arbitrary limit within QEMU if we don't need
| to. Here, we do not nee
From: Prasad J Pandit
Qemu guest agent while executing user commands does not seem to
check length of argument list and/or environment variables passed.
It may lead to integer overflow or infinite loop issues. Add check
to avoid it.
Reported-by: Niu Guoxiang
Signed-off-by: Prasad J Pandit
---
+-- On Wed, 22 May 2019, Marc-André Lureau wrote --+
| On Sun, May 19, 2019 at 10:55 AM P J P wrote:
| > Qemu guest agent while executing user commands does not seem to
| > check length of argument list and/or environment variables passed.
| > It may lead to integer overflow or infi
+-- On Fri, 11 Jan 2019, Paolo Bonzini wrote --+
| diff --git a/hw/scsi/scsi-generic.c b/hw/scsi/scsi-generic.c
| index 7237b4162e..42700e8897 100644
| --- a/hw/scsi/scsi-generic.c
| +++ b/hw/scsi/scsi-generic.c
| @@ -182,7 +182,7 @@ static void scsi_handle_inquiry_reply(SCSIGenericReq *r,
SCSIDev
+-- On Thu, 24 Jan 2019, Michael Roth wrote --+
| I would call a helper function like get_args_max() or whatever and have
| the posix implementation in qga/commands-posix.c and a stub'd version
| in qga/commands-win32.c. There's an article here that might be useful
| for figuring out how we would i
From: Prasad J Pandit
While servicing the OHCI transfer descriptors(TD), OHCI host
controller derives variables 'start_addr', 'end_addr', 'len'
etc. from values supplied by the host controller driver.
Host controller driver may supply values such that using
above variables leads to out-of-bounds
Hello all,
Recently while conversing with DanPB this point came up
-> https://www.qemu.org/contribute/security-process/
* Currently QEMU security team is a handful of individual contacts which
restricts community participation in dealing with these issues.
* The Onus also lies with the
+-- On Fri, 11 Sep 2020, Alexander Bulekov wrote --+
| > On 200911 2257, Li Qiang wrote:
| > > Could you also provide the reproducer?
* Sorry, we can not share reproducers on the list, I'm afraid.
* Thank you Alex for the -qtests.
| > > I think it is better to split this patch to 2 or three as t
Hello,
+-- On Fri, 11 Sep 2020, Peter Maydell wrote --+
| Way way back, the idea of a qemu-security list was proposed, and it was
| decided against because there wasn't a clear way that people could send
| encrypted mail to the security team if it was just a mailing list. So that's
| why we h
+-- On Thu, 27 Aug 2020, P J P wrote --+
| While mapping IRQ level in pci_change_irq_level() routine,
| it does not check if pci_get_bus() returned a valid pointer.
| It may lead to a NULL pointer dereference issue. Add check to
| avoid it.
|
| -> https://ruhr-uni-bochum.sciebo.d
+-- On Thu, 27 Aug 2020, P J P wrote --+
| While transferring data via fdctrl_write_data(), check that
| current drive does not have a null block pointer. Avoid
| null pointer dereference.
|
| -> https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Ffdc_nullptr1
| ==1658854==H
+-- On Tue, 11 Aug 2020, P J P wrote --+
| * This series asserts that MemoryRegionOps objects define read/write
| callback methods. Thus avoids potential NULL pointer dereference.
| ex. ->
https://git.qemu.org/?p=qemu.git;a=commit;h=bb15013ef34617eb1344f5276292cadd326c21b2
|
| * Also a
Hello,
+-- On Wed, 16 Sep 2020, Peter Maydell wrote --+
| On Wed, 16 Sep 2020 at 07:28, P J P wrote:
| > -> https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Flsi_nullptr1
| > ==1183858==Hint: address points to the zero page.
| > #0 pci_change_irq_level hw/pci/pci.
Hello Li,
+-- On Fri, 18 Sep 2020, Li Qiang wrote --+
| P J P
篋\x8E2020綛\xB49\xE6\x9C\x8818\xE6\x97ュ\x91\xA8篋\x94
筝\x8B\xE5\x8D\x886:26\xE5\x86\x99\xE9\x81\x93鐚\x9A
| > +-- On Fri, 18 Sep 2020, Li Qiang wrote --+
| > | Update v2: use an assert() call
| > | ->https://list
+-- On Tue, 29 Sep 2020, Li Qiang wrote --+
| P J P 于2020年9月29日周二 下午2:22写道:
| > +-- On Fri, 18 Sep 2020, Li Qiang wrote --+
| > | P J P 于2020年9月18日周五 下午6:26写道:
| > | > +-- On Fri, 18 Sep 2020, Li Qiang wrote --+
| > | > | Update v2: use an assert() call
| > | > |
-&
[+Paolo, +Fam Zheng - for scsi]
+-- On Mon, 28 Sep 2020, P J P wrote --+
| +-- On Wed, 16 Sep 2020, Peter Maydell wrote --+
| | On Wed, 16 Sep 2020 at 07:28, P J P wrote:
| | > ->
https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Flsi_nullptr1
| | > ==1183858==Hint: address
+-- On Wed, 16 Sep 2020, Philippe Mathieu-Daudé wrote --+
| On 8/11/20 1:41 PM, P J P wrote:
| > When registering a MemoryRegionOps object, assert that its
| > read/write callback methods are defined. This avoids potential
| > guest crash via a NULL pointer dereference.
| >
| &g
From: Prasad J Pandit
Hello,
* While servicing transfer descriptors(TD) in ohci_service[_iso]_td
routines, it may lead to out-of-bounds access and/or infinite loop
issues, as the OHCI controller driver may supply malicious values
to derive frame_number, start_addr, end_addr etc. variables.
From: Prasad J Pandit
While servicing the OHCI transfer descriptors(TD), OHCI host
controller derives variables 'start_addr', 'end_addr', 'len'
etc. from values supplied by the host controller driver.
Host controller driver may supply values such that using
above variables leads to out-of-bounds
From: Prasad J Pandit
While servicing OHCI transfer descriptors(TD), ohci_service_iso_td
retires a TD if it has passed its time frame. It does not check if
the TD was already processed once and holds an error code in TD_CC.
It may happen if the TD list has a loop. Add check to avoid an
infinite l
+-- On Tue, 15 Sep 2020, Philippe Mathieu-Daudé wrote --+
| > I think in normal this 'bus' will be not NULL. I have look at the link in
| > the commit msg. I find it is another DMA to MMIO issue which we have
| > discussed a lot but didn't come up with an satisfying solution.
If 'bus' is unlik
+-- On Fri, 4 Sep 2020, P J P wrote --+
| From: Prasad J Pandit
|
| When cancelling an i/o operation via ide_cancel_dma_sync(),
| a block pointer may be null. Add check to avoid null pointer
| dereference.
|
| -> https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Fide_nullp
Hello all,
+-- On Wed, 16 Sep 2020, Stefan Hajnoczi wrote --+
| I'm surprised the lack of encryption doesn't bother you. The security bug
| reporting process should be confidential to prevent disclosure of 0-days.
* I think it'll work only if all issue reports are encrypted. Under current
p
Hello Alex,
+-- On Fri, 11 Sep 2020, Alexander Bulekov wrote --+
| * I'm guessing this will be a closed list with some application/vetting
|procedure for the participants? (Maybe this is what you mean by
|"moderated" ?)
Yes.
| * Will secalert still be subscribed (for managing CVE I
+-- On Fri, 18 Sep 2020, Li Qiang wrote --+
| Update v2: use an assert() call
| ->https://lists.nongnu.org/archive/html/qemu-devel/2020-08/msg08336.html
...
| I think it is better to defer this check to 'ide_cancel_dma_sync'.
| 'ide_cancel_dma_sync' is also called by 'cmd_device_reset' and all o
From: Prasad J Pandit
While transferring data via fdctrl_read/write_data() routines,
check that current drive does not have a null block pointer.
Avoid null pointer dereference.
-> https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Ffdc_nullptr1
==1658854==Hint: address points to th
+-- On Tue, 20 Oct 2020, P J P wrote --+
| +-- On Fri, 16 Oct 2020, P J P wrote --+
| | * So ie. we need to:
| |
| | 1. Create/setup a regular non-encrypted 'qemu-security' list.
| |
| | 2. Invite representatives from user/downstream communities to subscribe
to
| | it.
|
+-- On Thu, 22 Oct 2020, Daniel P. Berrangé wrote --+
| On Thu, Oct 22, 2020 at 12:24:16PM -0400, Alexander Bulekov wrote:
| > > Once [2] lands upstream, we should see a significant uptick in oss-fuzz
| > > reports, and I hope that we can develop a process to ensure these bugs
| > > are properly
+-- On Wed, 30 Sep 2020, Igor Mammedov wrote --+
| 'dest' is offset into MemoryRegion, so far I don't see how it could break
| into QEMU stack. Do you have a simple reproducer?
Please see:
-> https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Flsi_nullptr1
Thank you.
--
Prasad J Pandit
+-- On Fri, 18 Sep 2020, P J P wrote --+
| +-- On Wed, 16 Sep 2020, Stefan Hajnoczi wrote --+
| | Do downstream maintainers want to know about potential security bug reports
| | that have not been triaged yet?
| |
| | Maybe there should there be a pre-announce list for bugs that have been
Hello Darren,
+-- On Wed, 30 Sep 2020, Darren Kenny wrote --+
| While that is true, some aliases have managed to do something here by having
| a single key for the alias, and behind the scenes that re-encrypts the
| e-mail for each member of that alias (trying to avoid the 'list' term a
| lit
+-- On Thu, 1 Oct 2020, Darren Kenny wrote --+
| The storage of reproducers would indeed be good to have in something
| like Gitlab - but that'd require someone to extract it and store it, but
| under what naming would be another issue... But really that's behind the
| scenes.
Yes.
| > Maybe w
From: Prasad J Pandit
While receiving packets via e1000e_write_packet_to_guest() routine,
'desc_offset' is advanced only when RX descriptor is processed. And
RX descriptor is not processed if it has NULL buffer address.
This may lead to an infinite loop condition. Increament 'desc_offset'
to proc
Hello Dan, Stefan,
+-- On Tue, 17 Nov 2020, Daniel P. Berrangé wrote --+
| On Tue, Nov 17, 2020 at 04:19:42PM +, Stefan Hajnoczi wrote:
| > Dan and I tried out confidential issues and unfortunately it is
| > currently too limited for our workflow.
| >
| > It is not possible to add non-memb
From: Prasad J Pandit
During data transfer via packet command in 'ide_atapi_cmd_reply_end'
's->io_buffer_index' could exceed the 's->io_buffer' length, leading
to OOB access issue. Add check to avoid it.
...
#9 ahci_pio_transfer ../hw/ide/ahci.c:1383
#10 ide_transfer_start_norecurse ../hw/ide
+-- On Sun, 30 Aug 2020, Alexander Bulekov wrote --+
| I think there is already a fix queued for this one:
| https://www.mail-archive.com/qemu-devel@nongnu.org/msg734424.html
Yes, it looks similar.
| > @@ -1615,7 +1615,14 @@ static int xhci_setup_packet(XHCITransfer *xfer)
| > xhci_xfer_cr
Hello Li,
+-- On Tue, 25 Aug 2020, Li Qiang wrote --+
| Just see the page.
| -->https://access.redhat.com/security/cve/CVE-2020-14364
|
| The 'Attack Vector' of the CVSS score here is 'local'.
|
| I think this should be 'network' as the guest user can touch this in cloud
| environment? What's
+-- On Sun, 30 Aug 2020, Alexander Bulekov wrote --+
| Here's a qtest reproducer for this one:
|
| cat << EOF |./i386-softmmu/qemu-system-i386 -nodefaults \
| -device sdhci-pci -device sd-card,drive=mydrive \
| -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
| -nographic -accel qtest
Proposed patch
-> https://lists.nongnu.org/archive/html/qemu-devel/2020-08/msg07968.html
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1892960
Title:
Heap-overflow in flatview_read through sdhci_
+-- On Tue, 1 Sep 2020, Philippe Mathieu-Daudé wrote --+
| The 'Transfer Block Size' field is 12-bit wide.
| See section '2.2.2. Block Size Register (Offset 004h)' in datasheet.
|
| Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
+ https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%
+-- On Wed, 2 Sep 2020, Philippe Mathieu-Daudé wrote --+
| > +if (s->data_count <= begin || s->data_count > s->buf_maxsz) {
| > +break;
| > +}
|
| Thanks for your patch. Note however this kind of security fix hides
| the bug in the model, furthermore it make
+-- On Tue, 1 Sep 2020, Philippe Mathieu-Daudé wrote --+
| > ->
https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Fsdhci_oob_write1
|
| This directory is 3 months old, I can't find it on the list...
| Did I missed that or did the list eat the report?
No, it was reported to [qemu-secu
From: Prasad J Pandit
While doing multi block SDMA, transfer block size may exceed
the 's->fifo_buffer[s->buf_maxsz]' size. It may leave the
current element pointer 's->data_count' pointing out of bounds.
Leading the subsequent DMA r/w operation to OOB access issue.
Assert that 's->data_count' is
+-- On Mon, 31 Aug 2020, Philippe Mathieu-Daudé wrote --+
| > +++ b/hw/ide/core.c
| > @@ -718,7 +718,7 @@ void ide_cancel_dma_sync(IDEState *s)
| > -if (s->bus->dma->aiocb) {
| > +if (s->blk && s->bus->dma->aiocb) {
|
| But s->blk mustn't be null here... IMHO we should assert() here and ad
+-- On Thu, 3 Sep 2020, Philippe Mathieu-Daudé wrote --+
| > +if (s->blk) {
| > +ide_cancel_dma_sync(s);
| > +bm->status &= ~BM_STATUS_DMAING;
|
| If you don't clear this bit the guest might keep retrying (looping).
Oh, okay will keep it out of the if(s
+-- On Thu, 3 Sep 2020, Philippe Mathieu-Daudé wrote --+
| > -assert(s->data_count <= s->buf_maxsz && s->data_count > begin);
| > +assert(s->data_count <= s->buf_maxsz);
| > +assert(s->data_count > begin);
|
| Doesn't seem enough, guest crash here, having:
|
|
+-- On Thu, 3 Sep 2020, Philippe Mathieu-Daudé wrote --+
| If you don't mind I might split the assert in 2 when applying:
|
| -assert(s->data_count <= s->buf_maxsz && s->data_count > begin);
| +assert(s->data_count <= s->buf_maxsz);
| +assert(s->data_count > beg
801 - 900 of 917 matches
Mail list logo
