On Thu, 6 Dec 2018 at 12:20, P J P <ppan...@redhat.com> wrote: > > From: Prasad J Pandit <p...@fedoraproject.org> > > While performing block transfer write in smb_ioport_writeb(), > 'smb_index' is incremented and used to index smb_data[] array. > Check 'smb_index' value to avoid OOB access. > > Note that this bug is exploitable by a guest to escape > from the virtual machine. However the commit which > introduced the bug was only made after the 3.0 release, > and so it is not present in any released QEMU versions. > > Fixes: 38ad4fae43 i2c: pm_smbus: Add block transfer capability > Reported-by: Michael Hanselmann <pub...@hansmi.ch> > Signed-off-by: Prasad J Pandit <p...@fedoraproject.org> > --- > hw/i2c/pm_smbus.c | 3 +++ > 1 file changed, 3 insertions(+) > > Update v1: add note about issue being introduced after 3.0 release > -> https://lists.gnu.org/archive/html/qemu-devel/2018-12/msg01115.html
Applied, thanks. -- PMM
