Hi, > > Problem is that usb_desc_create_serial didn't perform that check, so a > > loooong path string (can happen with deep pci-bridge nesting) results in > > the third snprintf call smashing the stack. > > Is this exploitable enough to need a CVE?
It isn't guest-triggerable. Also it needs a pretty unusual config to happen (pci-bridges nested so deep that lspci -t inside the guest crashes). So I'd rate it pretty low on the severity scale. > > Fix this by throwing out all the snpintf calls and use g_strdup_printf > > s/snpintf/snprintf/ Fixed. cheers, Gerd
