On 06.12.18 09:48, P J P wrote:
> While performing block transfer write in smb_ioport_writeb(),
> 'smb_index' is incremented and used to index smb_data[] array.
> Check 'smb_index' value to avoid OOB access.
>
> Reported-by: Michael Hanselmann
Considering that Li Qiang had already published his
+-- On Thu, 6 Dec 2018, P J P wrote --+
| | to clarify that this is a serious bug but also that it's
| | not one that will be affecting anybody's production systems.
|
| Okay, preparing patch v2...
Sent revised patch
[PATCH v1] i2c: pm_smbus: check smb_index before block transfer write
Thank
+-- On Thu, 6 Dec 2018, Peter Maydell wrote --+
| > > Do we need patch v2, or it can be done while merging it?
| >
| > I can add in the Fixes line when I apply the patch to master.
|
| Oh, I think we should also add to the commit message something
| along the lines of:
|
| "Note that this bug is
On 06.12.18 09:48, P J P wrote:
> Reported-by: Michael Hanselmann
> Signed-off-by: Prasad J Pandit
Reviewed-by: Michael Hanselmann
Best regards,
Michael
在 2018/12/6 16:48, P J P 写道:
> From: Prasad J Pandit
>
> While performing block transfer write in smb_ioport_writeb(),
> 'smb_index' is incremented and used to index smb_data[] array.
> Check 'smb_index' value to avoid OOB access.
>
> Reported-by: Michael Hanselmann
> Signed-off-by: Prasad J
On Thu, 6 Dec 2018 at 11:19, Peter Maydell wrote:
>
> On Thu, 6 Dec 2018 at 11:10, P J P wrote:
> >
> > +-- On Thu, 6 Dec 2018, Igor Mammedov wrote --+
> > | > From: Prasad J Pandit
> > | >
> > | > While performing block transfer write in smb_ioport_writeb(),
> > | > 'smb_index' is incremented
On Thu, 6 Dec 2018 at 11:10, P J P wrote:
>
> +-- On Thu, 6 Dec 2018, Igor Mammedov wrote --+
> | > From: Prasad J Pandit
> | >
> | > While performing block transfer write in smb_ioport_writeb(),
> | > 'smb_index' is incremented and used to index smb_data[] array.
> | > Check 'smb_index' value
Peter Maydell 于2018年12月6日周四 下午7:05写道:
> On Thu, 6 Dec 2018 at 11:00, Li Qiang wrote:
> > Yes, I know that, but as this issue is so good to write a perfect exploit
> > so I want to do more.
> >
> > I know the qemu planing and know this issue doesn't affect anyone.
> > I want to do a perfect
On Thu, 6 Dec 2018 at 11:12, Li Qiang wrote:
> OK, next time I will report it directly like what I did before.
Thank you -- I appreciate that.
-- PMM
+-- On Thu, 6 Dec 2018, Igor Mammedov wrote --+
| > From: Prasad J Pandit
| >
| > While performing block transfer write in smb_ioport_writeb(),
| > 'smb_index' is incremented and used to index smb_data[] array.
| > Check 'smb_index' value to avoid OOB access.
| >
| > Reported-by: Michael
On Thu, 6 Dec 2018 at 11:00, Li Qiang wrote:
> Yes, I know that, but as this issue is so good to write a perfect exploit
> so I want to do more.
>
> I know the qemu planing and know this issue doesn't affect anyone.
> I want to do a perfect work.
The problem is that it does affect other people,
Peter Maydell 于2018年12月6日周四 下午6:46写道:
> On Thu, 6 Dec 2018 at 10:34, li qiang wrote:
> >
> >
> > 在 2018/12/6 18:16, Peter Maydell 写道:
> > > On Thu, 6 Dec 2018 at 09:10, li qiang wrote:
> > >> Oh... Finally another one find this.
> > >>
> > >> I've already found this. This is very a serious
On Thu, 6 Dec 2018 at 10:34, li qiang wrote:
>
>
> 在 2018/12/6 18:16, Peter Maydell 写道:
> > On Thu, 6 Dec 2018 at 09:10, li qiang wrote:
> >> Oh... Finally another one find this.
> >>
> >> I've already found this. This is very a serious security issue.
> > If you find a security issue, we
在 2018/12/6 18:16, Peter Maydell 写道:
> On Thu, 6 Dec 2018 at 09:10, li qiang wrote:
>> Oh... Finally another one find this.
>>
>> I've already found this. This is very a serious security issue.
> If you find a security issue, we would appreciate it if
> you let us know, rather than just
On Thu, 6 Dec 2018 at 09:10, li qiang wrote:
> Oh... Finally another one find this.
>
> I've already found this. This is very a serious security issue.
If you find a security issue, we would appreciate it if
you let us know, rather than just waiting to see if
anybody else notices it...
FYI:
http://terenceli.github.io/%E6%8A%80%E6%9C%AF/2018/12/06/qemu-escape
在 2018/12/6 17:02, li qiang 写道:
> 在 2018/12/6 16:48, P J P 写道:
>> From: Prasad J Pandit
>>
>> While performing block transfer write in smb_ioport_writeb(),
>> 'smb_index' is incremented and used to index smb_data[]
On Thu, 6 Dec 2018 at 09:48, Igor Mammedov wrote:
>
> On Thu, 6 Dec 2018 14:18:16 +0530
> P J P wrote:
>
> > From: Prasad J Pandit
> >
> > While performing block transfer write in smb_ioport_writeb(),
> > 'smb_index' is incremented and used to index smb_data[] array.
> > Check 'smb_index'
On Thu, 6 Dec 2018 14:18:16 +0530
P J P wrote:
> From: Prasad J Pandit
>
> While performing block transfer write in smb_ioport_writeb(),
> 'smb_index' is incremented and used to index smb_data[] array.
> Check 'smb_index' value to avoid OOB access.
>
> Reported-by: Michael Hanselmann
>
On Thu, 6 Dec 2018 14:18:16 +0530
P J P wrote:
> From: Prasad J Pandit
>
> While performing block transfer write in smb_ioport_writeb(),
> 'smb_index' is incremented and used to index smb_data[] array.
> Check 'smb_index' value to avoid OOB access.
>
> Reported-by: Michael Hanselmann
>
在 2018/12/6 16:48, P J P 写道:
> From: Prasad J Pandit
>
> While performing block transfer write in smb_ioport_writeb(),
> 'smb_index' is incremented and used to index smb_data[] array.
> Check 'smb_index' value to avoid OOB access.
>
> Reported-by: Michael Hanselmann
> Signed-off-by: Prasad J
From: Prasad J Pandit
While performing block transfer write in smb_ioport_writeb(),
'smb_index' is incremented and used to index smb_data[] array.
Check 'smb_index' value to avoid OOB access.
Reported-by: Michael Hanselmann
Signed-off-by: Prasad J Pandit
---
hw/i2c/pm_smbus.c | 3 +++
1 file
21 matches
Mail list logo
