From: Prasad J Pandit
Define skeleton 'uar_read' routine. Avoid NULL dereference.
Reported-by: Li Qiang
Signed-off-by: Prasad J Pandit
---
hw/rdma/vmw/pvrdma_main.c | 6 ++
1 file changed, 6 insertions(+)
diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c
index
From: Prasad J Pandit
Hello,
Various issues OOB access, null dereference and possible infinite loop were
reported in the rdma/pvrdma backends. This patch set attempts to fix these.
Thank you.
---
Prasad J Pandit (5):
rdma: check that num_sge does not exceed MAX_SGE
pvrdma: add uar_read
From: Prasad J Pandit
While performing block transfer write in smb_ioport_writeb(),
'smb_index' is incremented and used to index smb_data[] array.
Check 'smb_index' value to avoid OOB access.
Note that this bug is exploitable by a guest to escape
from the virtual machine. However the commit
+-- On Thu, 6 Dec 2018, P J P wrote --+
| | to clarify that this is a serious bug but also that it's
| | not one that will be affecting anybody's production systems.
|
| Okay, preparing patch v2...
Sent revised patch
[PATCH v1] i2c: pm_smbus: check smb_index before block transfer write
Thank
+-- On Thu, 6 Dec 2018, Peter Maydell wrote --+
| > > Do we need patch v2, or it can be done while merging it?
| >
| > I can add in the Fixes line when I apply the patch to master.
|
| Oh, I think we should also add to the commit message something
| along the lines of:
|
| "Note that this bug is
+-- On Thu, 6 Dec 2018, Igor Mammedov wrote --+
| > From: Prasad J Pandit
| >
| > While performing block transfer write in smb_ioport_writeb(),
| > 'smb_index' is incremented and used to index smb_data[] array.
| > Check 'smb_index' value to avoid OOB access.
| >
| > Reported-by: Michael
From: Prasad J Pandit
While performing block transfer write in smb_ioport_writeb(),
'smb_index' is incremented and used to index smb_data[] array.
Check 'smb_index' value to avoid OOB access.
Reported-by: Michael Hanselmann
Signed-off-by: Prasad J Pandit
---
hw/i2c/pm_smbus.c | 3 +++
1 file
+-- On Thu, 29 Nov 2018, Eric Blake wrote --+
| How important is this for 3.1? We've missed -rc3. Is this CVE quality
| because of a guest being able to cause mayhem by intentionally getting into
| this condition (in which case, we need it, as well as a CVE assigned)? Is it
| pre-existing in
+-- On Mon, 19 Nov 2018, P J P wrote --+
| From: Prasad J Pandit
|
| The length parameter values are not negative, thus use an unsigned
| type 'size_t' for them. Many routines pass 'len' values to memcpy(3)
| calls. If it was negative, it could lead to memory corruption issues.
| Add check
e(),
| like in v9fs_rename().
|
| Impact: DoS triggered by unprivileged guest users.
|
| Cc: P J P
| Reported-by: zhibin hu
| Signed-off-by: Greg Kurz
| ---
| hw/9pfs/9p.c |3 +++
| 1 file changed, 3 insertions(+)
|
| diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
| index 267a25533b77..bdf7919ab
+-- On Wed, 21 Nov 2018, Stefan Berger wrote --+
| I audited all functions yesterday and my proposed patches are on the mailing
| list. The abort related ones seem most critical but they are all passed values
| they can handle. I do not think that an out-of-bounds access can occur with
| the
Hello Stefan, Marc,
+-- On Tue, 20 Nov 2018, P J P wrote --+
| | On 11/20/18 2:22 AM, P J P wrote:
| | > From: Prasad J Pandit
| | > While performing mmio device r/w operations, guest could set 'addr'
| | > parameter such that 'locty' index exceeds TPM_TIS_NUM_LOCALITIES=5
| | > a
Hello Gerd,
+-- On Mon, 12 Nov 2018, Gerd Hoffmann wrote --+
| On Tue, Oct 30, 2018 at 09:23:40AM +0100, Gerd Hoffmann wrote:
| > Fixes: CVE-2018-???
| > Cc: P J P
|
| ping, do we have a cve number meanwhile?
No, the off-by-one does not seem to have an adverse effect. One byte past
AR
Hello Petr, Paolo,
+-- On Tue, 6 Nov 2018, Paolo Bonzini wrote --+
| On 06/11/2018 13:03, Peter Maydell wrote:
| > When can this masking have any effect? These functions are
| > the read and write ops for lsi_ram_ops, which we register with
| > memory_region_init_io(>ram_io, OBJECT(s),
Hello Stefan,
+-- On Tue, 20 Nov 2018, Stefan Berger wrote --+
| On 11/20/18 2:22 AM, P J P wrote:
| > From: Prasad J Pandit
| >
| > While performing mmio device r/w operations, guest could set 'addr'
| > parameter such that 'locty' index exceeds TPM_TIS_NUM_LOCALITIES=5
| > af
From: Prasad J Pandit
While performing mmio device r/w operations, guest could set 'addr'
parameter such that 'locty' index exceeds TPM_TIS_NUM_LOCALITIES=5
after setting new 'locty' via 'tpm_tis_new_active_locality'.
Add check to avoid OOB access.
Reported-by: Cheng Feng
Signed-off-by: Prasad
.
|
| It turns out that the same can happen at several locations where
| v9fs_path_copy() is used to set the fid path. The fix is again to
| take the write lock.
|
| Cc: P J P
| Reported-by: zhibin hu
| Signed-off-by: Greg Kurz
| ---
| hw/9pfs/9p.c | 15 +++
| 1 file changed, 15
+-- On Tue, 6 Nov 2018, Philippe Mathieu-Daudé wrote --+
| > @@ -113,6 +113,7 @@ static void vhci_host_send(void *opaque,
| > static uint8_t buf[4096];
| >
| > buf[0] = type;
| > +assert(len <= sizeof(buf) - 1);
|
| Why not simply "assert(len < sizeof(buf));"?
| > for
From: Prasad J Pandit
The length parameter values are not negative, thus use an unsigned
type 'size_t' for them. Many routines pass 'len' values to memcpy(3)
calls. If it was negative, it could lead to memory corruption issues.
Add check to avoid it.
Reported-by: Arash TC
Signed-off-by: Prasad
From: Prasad J Pandit
While accessing script ram[2048] via 'lsi_ram_read/write' routines,
'addr' could exceed the ram range. Mask high order bits to avoid
OOB access.
Reported-by: Mark Kanda
Signed-off-by: Prasad J Pandit
---
hw/scsi/lsi53c895a.c | 2 ++
1 file changed, 2 insertions(+)
diff
From: Prasad J Pandit
While performing mmio device r/w operations, guest could set 'addr'
parameter such that 'locty' index exceeds TPM_TIS_NUM_LOCALITIES=5.
Add check to avoid OOB access.
Reported-by: Cheng Feng
Signed-off-by: Prasad J Pandit
---
hw/tpm/tpm_tis.c | 10 --
1 file
From: Prasad J Pandit
When TIS request is done, set 'sts' data field across all localities.
Signed-off-by: Prasad J Pandit
---
hw/tpm/tpm_tis.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/tpm/tpm_tis.c b/hw/tpm/tpm_tis.c
index 20126dd838..58d90645bc 100644
---
+-- On Sat, 27 Oct 2018, P J P wrote --+
|+-- On Sun, 21 Oct 2018, P J P wrote --+
|| The length parameter values are not negative, thus use an unsigned
|| type 'size_t' for them. Many routines pass 'len' values to memcpy(3)
|| calls. If it was negative, it could lead to memory corruption issues
+-- On Mon, 29 Oct 2018, Peter Maydell wrote --+
| > switch (offset) {
| > case GPDR:/* GPIO Pin-Direction registers */
| > -s->dir = value;
| > +s->dir = value & 0x3f;
|
| The commit message says it's masking [31:28], but the
| code is masking [31:22]. The
From: Prasad J Pandit
The high[31:28] bits of 'direction' and 'state' registers of
SA-1100/SA-1110 device are reserved. Setting them may lead to
OOB 's->handler[]' array access issue. Mask off [31:28] bits to
avoid it.
Reported-by: Moguofang
Signed-off-by: Prasad J Pandit
---
+-- On Tue, 30 Oct 2018, Paolo Bonzini wrote --+
|
| Reviewed-by: Paolo Bonzini
|
| with one change below:
|
| > +if ((s->sstat1 & PHASE_MASK) == PHASE_MI) {
| > +assert(s->msg_len >= 0);
|
| should be > 0 as well.
Sent patch v3. Thank you.
--
Prasad J Pandit / Red Hat
From: Prasad J Pandit
While writing a message in 'lsi_do_msgin', message length value
in 'msg_len' could be invalid. Add check to avoid OOB access issue.
Signed-off-by: Prasad J Pandit
---
hw/scsi/lsi53c895a.c | 19 +--
1 file changed, 17 insertions(+), 2 deletions(-)
Update
+-- On Mon, 29 Oct 2018, Paolo Bonzini wrote --+
| On 29/10/2018 18:56, Paolo Bonzini wrote:
| > On 26/10/2018 22:55, Peter Maydell wrote:
| >>> +assert(len <= LSI_MAX_MSGIN_LEN);
| >>> pci_dma_write(PCI_DEVICE(s), s->dnad, s->msg, len);
| >>> /* Linux drivers rely on the last byte
From: Prasad J Pandit
While writing a message in 'lsi_do_msgin', message length value
in 'msg_len' could be invalid. Add check to avoid OOB access issue.
Signed-off-by: Prasad J Pandit
---
hw/scsi/lsi53c895a.c | 19 +--
1 file changed, 17 insertions(+), 2 deletions(-)
Update
+-- On Sun, 21 Oct 2018, P J P wrote --+
| The length parameter values are not negative, thus use an unsigned
| type 'size_t' for them. Many routines pass 'len' values to memcpy(3)
| calls. If it was negative, it could lead to memory corruption issues.
| Add check to avoid it.
|
| Reported
From: Prasad J Pandit
While writing a message in 'lsi_do_msgin', message length value
in 'msg_len' could be invalid. Add check to avoid OOB access issue.
Signed-off-by: Prasad J Pandit
---
hw/scsi/lsi53c895a.c | 15 ++-
1 file changed, 14 insertions(+), 1 deletion(-)
Update v1:
+-- On Fri, 26 Oct 2018, Mark Kanda wrote --+
| Yes, please use that acknowledgement text in lieu of a 'Reported-by' line.
Okay, thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
+-- On Fri, 26 Oct 2018, Daniel P. Berrangé wrote --+
| ...
| One thing we should do, however, is to make it clear which of the
| device models we consider secure, and which we consider only usable
| in a friendly guest environment, as we have very different code
| maintainership & quality
+-- On Fri, 26 Oct 2018, Mark Kanda wrote --+
| Deja vu requested that we include the following text in the commit message:
|
| Discovered by Deja vu Security. Reported by Oracle.
|
| Would that be acceptable?
Generally an email-id is used/preferred in the commit log message. We could
From: Prasad J Pandit
While performing PowerNV memory r/w operations, the access length
'sz' could exceed the data[4] buffer size. Add check to avoid OOB
access.
Reported-by: Moguofang
Signed-off-by: Prasad J Pandit
---
hw/ppc/pnv_lpc.c | 8 +++-
1 file changed, 7 insertions(+), 1
+-- On Fri, 26 Oct 2018, Daniel P. Berrangé wrote --+
| > No, since the adlib device is not used as much and is being deprecated, I'm
| > not inclined to get one.
|
| Any security issue that affects code in QEMU that is currently being
| shipped by distros should have a CVE.
|
| Whether we
+-- On Fri, 26 Oct 2018, Paolo Bonzini wrote --+
| Oh, thanks! I said I was dumb. :) So the fix is just this:
|
| diff --git a/hw/audio/fmopl.h b/hw/audio/fmopl.h
| index e7e578a48e..7199afaa3c 100644
| --- a/hw/audio/fmopl.h
| +++ b/hw/audio/fmopl.h
| @@ -72,8 +72,8 @@ typedef struct fm_opl_f
+-- On Fri, 26 Oct 2018, Cédric Le Goater wrote --+
| On 10/25/18 8:45 AM, P J P wrote:
| > - While we refactor the routine for better, a patch below seem okay to fix
| >the OOB access issue?
|
| I think it is fine. Please add something like :
|
| qemu_log_mask(LOG_GUEST
+-- On Fri, 26 Oct 2018, Peter Maydell wrote --+
| > ===
| > diff --git a/hw/arm/strongarm.c b/hw/arm/strongarm.c
| > index ec2627374d..dd8c4b1f2e 100644
| > --- a/hw/arm/strongarm.c
| > +++ b/hw/arm/strongarm.c
| > @@ -587,12 +587,12 @@ static void strongarm_gpio_write(void *opaque, hwaddr
| >
+-- On Fri, 26 Oct 2018, Paolo Bonzini wrote --+
| > -int msg_len;
| > +uint8_t msg_len;
|
| Not wrong per se, but it's also not clear why it's needed. I understand
| that you want to switch from signed to unsigned, but it is not mentioned
| in the commit message.
Changed to uint8_t
+-- On Fri, 26 Oct 2018, Paolo Bonzini wrote --+
| I am dumb and I don't understand. In set_ar_dr you get
|
| v = 0xff
| ar = 15
| dr = 15
|
| and OPL->AR_TABLE[60] is accessed. The size of the array is 75, which
| seems to be actually 14 more than required. Likewise
+-- On Thu, 25 Oct 2018, Ameya More wrote --+
| While Mark and I reported this issue to you, it was actually discovered by
| Dejvau Security and they should receive credit for reporting this issue.
| http://www.dejavusecurity.com
I see; Would it be possible to share email-id of the original
From: Prasad J Pandit
The high[32:28] bits of 'direction' and 'state' registers of
SA-1100/SA-1110 device are reserved. Setting them may lead to
OOB 's->handler[]' array access issue. Mask off [32:28] bits to
avoid it.
Reported-by: Moguofang
Signed-off-by: Prasad J Pandit
---
+-- On Thu, 25 Oct 2018, Daniel P. Berrangé wrote --+
| On Thu, Oct 25, 2018 at 04:26:16PM +0530, P J P wrote:
| > +-- On Thu, 25 Oct 2018, Gerd Hoffmann wrote --+
| > | We have a lovely, guest-triggerable buffer overflow in opl2 emulation.
| > |
| > | Reproducer:
| > | out
Hello Dan, all
+-- On Thu, 25 Oct 2018, Daniel P. Berrangé wrote --+
| On Thu, Oct 25, 2018 at 10:52:56AM +0200, Gerd Hoffmann wrote:
| > While being at it deprecate cirrus too.
| >
| > Reason (short version): use stdvga instead.
| > Verbose version:
| >
+-- On Thu, 25 Oct 2018, Peter Maydell wrote --+
| Hi; thanks for this patch. Looking at the SA1110 manual,
| it says that writes to the reserved bits [31:28] are
| ignored. So I think that rather than doing this check
| here, we should do what the strongarm_ppc_* code in the
| same file does --
From: Prasad J Pandit
While writing a message in 'lsi_do_msgin', message length value
in msg_len could be invalid, add check to avoid OOB access issue.
Reported-by: Ameya More
Signed-off-by: Prasad J Pandit
---
hw/scsi/lsi53c895a.c | 9 ++---
1 file changed, 6 insertions(+), 3
+-- On Thu, 25 Oct 2018, Gerd Hoffmann wrote --+
| While being at it deprecate cirrus too.
|
| Reason (short version): use stdvga instead.
| Verbose version:
| https://www.kraxel.org/blog/2014/10/qemu-using-cirrus-considered-harmful
|
| Signed-off-by: Gerd Hoffmann
| ---
|
+-- On Thu, 25 Oct 2018, Gerd Hoffmann wrote --+
| We have a lovely, guest-triggerable buffer overflow in opl2 emulation.
|
| Reproducer:
| outw(0xff60, 0x220);
| outw(0x1020, 0x220);
| outw(0xffb0, 0x220);
| Result:
| Will overflow FM_OPL->AR_TABLE[] (see hw/audio/fmopl.[ch])
+
+-- On Thu, 25 Oct 2018, Gerd Hoffmann wrote --+
| Simliar to deprecated machine types.
| Print a warning when creating a deprecated device.
| Add deprecation notice to -device help.
|
| TODO: add to intospection.
s/intospection/introspection ..?
| diff --git a/hw/core/qdev.c b/hw/core/qdev.c
Hello Cedric,
+-- On Wed, 24 Oct 2018, Cédric Le Goater wrote --+
| I think using a data[8] would be more appropriate. It would make the
| pnv_lpc_do_eccb() routine a little more complex. I tried to rewrite it to
| have a common one with the P9 LPC model but could not find a common pattern.
+-- On Tue, 23 Oct 2018, Philippe Mathieu-Daudé wrote --+
| > From: Prasad J Pandit
| >
| > Update v1: use ARRAY_SIZE macro
| >-> https://lists.gnu.org/archive/html/qemu-devel/2018-10/msg04826.html
| >
| > -qemu_set_irq(s->handler[bit], (level >> bit) & 1);
| > +if (bit <
+-- On Mon, 22 Oct 2018, liqsub1 wrote --+
| +if (bit < sizeof(s->handler) / sizeof(s->handler[0])) {
|
| Maybe you can use ARRAY_SIZE here.
Yes, sent patch v1.
Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
From: Prasad J Pandit
While performing gpio write via strongarm_gpio_handler_update
routine, the 'bit' index could access beyond s->handler[28] array.
Add check to avoid OOB access.
Reported-by: Moguofang
Signed-off-by: Prasad J Pandit
---
hw/arm/strongarm.c | 4 +++-
1 file changed, 3
From: Prasad J Pandit
While performing PowerNV memory r/w operations, the access length
'sz' could exceed the data[4] buffer size. Add check to avoid OOB
access.
Reported-by: Moguofang
Signed-off-by: Prasad J Pandit
---
hw/ppc/pnv_lpc.c | 4
1 file changed, 4 insertions(+)
diff --git
From: Prasad J Pandit
While in nvme_mmio_read, memcpy could read past the 'n->bar'
buffer, if addr offset was pointing towards its tail end.
Add check to avoid OOB access.
Reported-by: Caihongzhu
Signed-off-by: Prasad J Pandit
---
hw/block/nvme.c | 2 +-
1 file changed, 1 insertion(+), 1
From: Prasad J Pandit
While performing gpio write via strongarm_gpio_handler_update
routine, the 'bit' index could access beyond s->handler[28] array.
Add check to avoid OOB access.
Reported-by: Moguofang
Signed-off-by: Prasad J Pandit
---
hw/arm/strongarm.c | 4 +++-
1 file changed, 3
From: Prasad J Pandit
The length parameter values are not negative, thus use an unsigned
type 'size_t' for them. Many routines pass 'len' values to memcpy(3)
calls. If it was negative, it could lead to memory corruption issues.
Add check to avoid it.
Reported-by: Arash TC
Signed-off-by: Prasad
+-- On Thu, 18 Oct 2018, Paolo Bonzini wrote --+
| So you have to first find out all places where something is subtracted
| from the length, and ensure it's okay or add assertions.
|
| Then you have to check a much more important issue: places that use a
| fixed-size buffer such as
From: Prasad J Pandit
The length parameter values are not negative, thus use an unsigned
type 'size_t' for them. Many routines pass 'len' values to memcpy(3)
calls. If it was negative, it could lead to memory corruption issues.
Reported-by: Arash TC
Signed-off-by: Prasad J Pandit
---
+-- On Thu, 11 Oct 2018, Philippe Mathieu-Daudé wrote --+
| I started this change and already converted 40 files.
Wow, that's super swift! :) Will wait for the patch V2 from you then.
Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
+-- On Thu, 11 Oct 2018, Philippe Mathieu-Daudé wrote --+
| The IOReadHandler does not have documentation.
|
| typedef void IOReadHandler(void *opaque, const uint8_t *buf, int size);
|
| Why is the 'size' argument signed? Does it makes sens to call it with a
| negative value?
No, it doesn't
From: Prasad J Pandit
While reading virtual smart card data, if buffer 'size' is negative
it would lead to memory corruption errors. Add check to avoid it.
Reported-by: Arash TC
Signed-off-by: Prasad J Pandit
---
hw/usb/ccid-card-passthru.c | 1 +
1 file changed, 1 insertion(+)
diff --git
From: Prasad J Pandit
While reading file content via 'guest-file-read' command,
'qmp_guest_file_read' routine allocates buffer of count+1
bytes. It could overflow for large values of 'count'.
Add check to avoid it.
Reported-by: Fakhri Zulkifli
Signed-off-by: Prasad J Pandit
---
mu-devel/2018-06/msg01144.html
This is patch v1 with indentation fix flagged by checkpatch.pl. In case you
prefer this one.
Thank you.
--
- P J P
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
From: Prasad J Pandit
Coding style changes to the m_cat routine and minor refactoring.
Signed-off-by: Prasad J Pandit
---
slirp/mbuf.c | 36
1 file changed, 16 insertions(+), 20 deletions(-)
diff --git a/slirp/mbuf.c b/slirp/mbuf.c
index
From: Prasad J Pandit
Hello,
While reassembling incoming fragmented datagrams, 'm_cat' routine
extends the 'mbuf' buffer if it has insufficient room. It computes
a wrong buffer size, which leads to overwriting adjacent heap buffer
area.
This patch set fixes this issue and formats m_cat()
From: Prasad J Pandit
While reassembling incoming fragmented datagrams, 'm_cat' routine
extends the 'mbuf' buffer, if it has insufficient room. It computes
a wrong buffer size, which leads to overwriting adjacent heap buffer
area. Correct this size computation in m_cat.
Reported-by: ZDI
From: Prasad J Pandit
While reassembling incoming fragmented datagrams, 'm_cat' routine
extends the 'mbuf' buffer, if it has insufficient room. It computes
a wrong buffer size, which leads to overwriting adjacent heap buffer
area. Correct this size computation in m_cat.
Reported-by: ZDI
From: Prasad J Pandit
Hello,
While reassembling incoming fragmented datagrams, 'm_cat' routine
extends the 'mbuf' buffer if it has insufficient room. It computes
a wrong buffer size, which leads to overwriting adjacent heap buffer
area.
This patch set fixes this issue and formats m_cat()
From: Prasad J Pandit
Coding style changes to the m_cat routine and minor refactoring.
Signed-off-by: Prasad J Pandit
---
slirp/mbuf.c | 36
1 file changed, 16 insertions(+), 20 deletions(-)
diff --git a/slirp/mbuf.c b/slirp/mbuf.c
index
+-- On Wed, 14 Mar 2018, Kevin Wolf wrote --+
| Well, it seems to me that this patch was created for a different
| purpose, but it happens to fix the bug for which this CVE was assigned
| now.
Right. I had sent another patch to fix it, there Jack mentioned about his
series from before.
| I
+-- On Thu, 8 Mar 2018, Gerd Hoffmann wrote --+
| Typically the scanline length and the line offset are identical.
| But case
But in case ...
| Cc: Ross Lagerwall
s/Cc:/Reported-by: Ross Lagerwall ...
| Signed-off-by: Gerd Hoffmann
| ---
|
+-- On Thu, 21 Dec 2017, Jack Schwartz wrote --+
| Change all fprintf(stderr...) calls in hw/i386/multiboot.c to call
| error_report() instead, including the mb_debug macro. Remove the "\n"
| from strings passed to all modified calls, since error_report() appends
| one.
|
| Signed-off-by: Jack
+-- On Thu, 21 Dec 2017, Jack Schwartz wrote --+
| Refer to field names when displaying fields in printf and debug statements.
I wonder if it's required; Having variable names is helpful while going
through code.
Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA
+-- On Thu, 21 Dec 2017, Jack Schwartz wrote --+
| Remove unused variables: mh_mode_type, mh_width, mh_height, mh_depth
|
| Signed-off-by: Jack Schwartz
| Reviewed-by: Daniel Kiper
| ---
| hw/i386/multiboot.c | 6 --
| 1 file changed, 6
+-- On Thu, 21 Dec 2017, Jack Schwartz wrote --+
| The multiboot spec (https://www.gnu.org/software/grub/manual/multiboot/),
| section 3.1.3, allows for bss_end_addr to be zero.
|
| A zero bss_end_addr signifies there is no .bss section.
|
| Suggested-by: Daniel Kiper
|
+-- On Wed, 28 Feb 2018, P J P wrote --+
| While loading kernel via multiboot-v1 image, (flags & 0x0001)
| indicates that multiboot header contains valid addresses to load
| the kernel image. In that, end of the data segment address
| 'mh_load_end_addr' should be less than the bss seg
From: Prasad J Pandit
While loading kernel via multiboot-v1 image, (flags & 0x0001)
indicates that multiboot header contains valid addresses to load
the kernel image. In that, end of the data segment address
'mh_load_end_addr' should be less than the bss segment
From: Prasad J Pandit
When updating message signalled interrupt(MSI) route in routine
kvm_irqchip_update_msi_route, device parameter could be null.
Add check to avoid null dereference.
Reported-by: Guoxiang Niu
Signed-off-by: Prasad J Pandit
Hello Radim,
+-- On Fri, 2 Feb 2018, Radim Krčmář wrote --+
| This should primarily go to the qemu devel list. I've Cc'd it, but
| reposting would be safer, thanks.
Ah, Okay. I did think qemu-devel would be better, but MAINTAINERS file lists
k...@vger.kernel.org address for accel/kvm/.
+-- On Thu, 25 Jan 2018, Gerd Hoffmann wrote --+
| Ok, finally queueed up v1 for merge.
Okay, cool. Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
+-- On Mon, 25 Dec 2017, linzhecheng wrote --+
| --- a/hw/display/vga.c
| +++ b/hw/display/vga.c
| @@ -1279,6 +1279,10 @@ static void vga_draw_text(VGACommonState *s, int
full_update)
| cx_min = width;
| cx_max = -1;
| for(cx = 0; cx < width; cx++) {
| +if
+-- On Mon, 11 Dec 2017, Peter Maydell wrote --+
| It would be more sensible to just mask off the top bits of
| 'level' before starting the loop, rather than checking every
| time around the loop:
|level &= MAKE_64BIT_MASK(0, TC6493XB_GPIOS);
Sent a revised patch v1. Thank you.
--
Prasad J
From: Prasad J Pandit
The ctz32() routine could return value greater than
TC6393XB_GPIOS=16. This could lead to an OOB array access.
Mask 'level' to avoid it.
Reported-by: Moguofang
Signed-off-by: Prasad J Pandit
---
From: Prasad J Pandit
The ctz32() routine could return value greater than
TC6393XB_GPIOS=16. This could lead to an OOB array access.
Add check to avoid it.
Reported-by: Moguofang
Signed-off-by: Prasad J Pandit
---
+-- On Thu, 30 Nov 2017, P J P wrote --+
| +-- On Thu, 30 Nov 2017, Stefan Hajnoczi wrote --+
| | Michael is the virtio maintainer. I have added him to this email
| | thread so the patch series can be merged.
-> https://lists.gnu.org/archive/html/qemu-devel/2017-11/msg05473.html
@
From: Prasad J Pandit
During a dma access, SCSIRequest object 'current_req' could be
null, leading to a null pointer dereference. Add check to avoid
it.
Reported-by: Zhangboxian
Signed-off-by: Prasad J Pandit
---
+-- On Thu, 30 Nov 2017, Stefan Hajnoczi wrote --+
| Michael is the virtio maintainer. I have added him to this email
| thread so the patch series can be merged.
Thanks so much!
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
+-- On Wed, 29 Nov 2017, Cornelia Huck wrote --+
| I think the basic problem is still that you conflate two things:
| - vring.num, which cannot be flipped between 0 and !0 by the guest
| - vring.{desc,avail,used}, which can
|
| IOW, if vring.num == 0, the guest cannot manipulate the queue; if
|
From: Prasad J Pandit
Hello,
A guest could attempt to use an uninitialised VirtQueue object
or set Vring object with undue values, raising an unexpected
exception in Qemu. This patch set fixes this issue and also adds
a unit test to the suite.
Thank you.
--
Prasad J
From: Prasad J Pandit
A guest could attempt to use an uninitialised VirtQueue object
or unset Vring.align leading to a arithmetic exception. Add check
to avoid it.
Reported-by: Zhangboxian
Signed-off-by: Prasad J Pandit
From: Prasad J Pandit
An uninitialised VirtQueue object or one with Vring.align field
set to zero(0) could lead to arithmetic exceptions. Add a unit
test to validate it.
Signed-off-by: Prasad J Pandit
---
tests/virtio-blk-test.c | 25
Hello Cornelia,
+-- On Tue, 28 Nov 2017, Cornelia Huck wrote --+
| What is "unfit for use"?
Unfit for use because we see checks like
if (!virtio_queue_get_num(vdev, n)) {
continue;
...
if (!vdev->vq[n].vring.num) {
return;
'virtio_queue_set_rings' sets 'vring.desc' as
+-- On Tue, 28 Nov 2017, Stefan Hajnoczi wrote --+
| > This is conflating different things:
| > - vq does not exist (num == 0)
| > - vq is not setup by the guest (desc == 0)
| > - vq has no valid alignment (which is only relevant for legacy)
|
| I agree.
Either case, vq would be unfit for use,
+-- On Mon, 27 Nov 2017, Cornelia Huck wrote --+
|The check for align is not really needed, as virtio-1 disallows setting align
|anyway.
disallows...?
| Checking for !desc is wrong (why shouldn't a driver be able to unset a
| descriptor table?)
+-- On Mon, 27 Nov 2017, Stefan Hajnoczi wrote
From: Prasad J Pandit
Hello,
An user could attempt to use an uninitialised VirtQueue object
or set Vring object with undue values, raising an unexpected
exception in Qemu. This patch set fixes this issue and also adds
a unit test to the suite.
Thank you.
--
Prasad J
From: Prasad J Pandit
An user could attempt to use an uninitialised VirtQueue object
or unset Vring.align leading to a arithmetic exception. Add check
to avoid it.
Reported-by: Zhangboxian
Signed-off-by: Prasad J Pandit
From: Prasad J Pandit
An uninitialised VirtQueue object or one with Vring.align field
set to zero(0) could lead to arithmetic exceptions. Add a unit
test to validate it.
Signed-off-by: Prasad J Pandit
---
tests/virtio-blk-test.c | 25
From: Prasad J Pandit
An uninitialised VirtQueue object or one with Vring.align field
set to zero(0) could lead to arithmetic exceptions. Add a unit
test to validate it.
Signed-off-by: Prasad J Pandit
---
tests/virtio-blk-test.c | 25
401 - 500 of 912 matches
Mail list logo