+-- On Mon, 20 Jul 2020, Li Qiang wrote --+ | This seems is the same issue as LP#1886362 . Look at the free path. Here the | 'e1000e_write_to_rx_buffers' trigger DMA and then go to address space | dispatch. So the DMA is not RAM but a MMIO range. Then we go to another send | path, and in that we frees the 'iov'.
Cool. Thanks so much for the confirmation Li. | Alex do you tried my patch to solve LP#1886362 ? I have tried it and it | seems no this UAF triggered. He mentioned that your patch fixes both issues: -> https://lists.gnu.org/archive/html/qemu-devel/2020-07/msg05367.html ... > On the other hand, I cannot reproduce either issue with Li's patch: > Message-Id: <20200716161453.61295-1-liq...@163.com> Thank you. -- Prasad J Pandit / Red Hat Product Security Team 8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D
