From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([208.118.235.92]:35551)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mst@redhat.com>) id 1UVhoP-0007ZJ-RN
	for qemu-devel@nongnu.org; Fri, 26 Apr 2013 08:31:40 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <mst@redhat.com>) id 1UVhoL-0008Ex-Pq
	for qemu-devel@nongnu.org; Fri, 26 Apr 2013 08:31:37 -0400
Received: from mx1.redhat.com ([209.132.183.28]:49144)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mst@redhat.com>) id 1UVhoL-0008El-HY
	for qemu-devel@nongnu.org; Fri, 26 Apr 2013 08:31:33 -0400
Date: Fri, 26 Apr 2013 15:31:24 +0300
From: "Michael S. Tsirkin" <mst@redhat.com>
Message-ID: <20130426123124.GB15119@redhat.com>
References: <1366875807-3491-1-git-send-email-jasowang@redhat.com>
	<87fvyebbwb.fsf@codemonkey.ws> <20130425210242.GB2908@redhat.com>
	<878v461c1k.fsf@codemonkey.ws> <517A0B3D.1020202@redhat.com>
	<517A57AB.60804@redhat.com> <517A57FD.3090700@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <517A57FD.3090700@redhat.com>
Subject: Re: [Qemu-devel] [PATCH] virtio: abort on zero config length
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Jason Wang <jasowang@redhat.com>
Cc: Anthony Liguori <aliguori@us.ibm.com>, qemu-devel@nongnu.org

On Fri, Apr 26, 2013 at 06:33:33PM +0800, Jason Wang wrote:
> On 04/26/2013 06:32 PM, Eric Blake wrote:
> > On 04/25/2013 11:06 PM, Jason Wang wrote:
> >>>>     if (addr > (vdev->config_len - sizeof(val)))
> >>>>
> >>>> ^^^^^^^^^ quiz: spot a bug above if config_len is 0    :)
> >>> Then we need to fix these bugs and allocate a CVE.  virtio-rng has
> >>> shipped.  This code is also dumb.
> >> Ok, but since the discussion is in public list, no need for CVE then.
> > Wrong.  CVEs are useful even for publicly disclosed bugs.  It tells
> > people whether they need to upgrade in order to avoid a vulnerability.
> >
> > What we don't need is embargo.  But we do need a CVE.
> >
> 
> True, thanks for the correction.

I think we never shipped QEMU release with this bug.  So no need for
CVEs.  I'm not sure upstream has to bother with CVEs - we can just say
this is downstream work.

-- 
MST