From: "Michael S. Tsirkin" <mst@redhat.com>
To: "Philippe Mathieu-Daudé" <philmd@redhat.com>
Cc: Mauro Matteo Cascella <mcascell@redhat.com>,
QEMU Developers <qemu-devel@nongnu.org>,
Alexander Bulekov <alxndr@redhat.com>,
Paolo Bonzini <pbonzini@redhat.com>, Ani Sinha <ani@anisinha.ca>,
Igor Mammedov <imammedo@redhat.com>
Subject: Re: [PATCH] acpi: validate hotplug selector on access
Date: Wed, 22 Dec 2021 15:52:46 -0500 [thread overview]
Message-ID: <20211222154841-mutt-send-email-mst@kernel.org> (raw)
In-Reply-To: <CAP+75-VaN5SD22ABqKNTC=dHhN4yaN-22Ucfdp=6aeYa+q+83A@mail.gmail.com>
On Wed, Dec 22, 2021 at 09:27:51PM +0100, Philippe Mathieu-Daudé wrote:
> On Wed, Dec 22, 2021 at 9:20 PM Michael S. Tsirkin <mst@redhat.com> wrote:
> > On Wed, Dec 22, 2021 at 08:19:41PM +0100, Philippe Mathieu-Daudé wrote:
> > > +Mauro & Alex
> > >
> > > On 12/21/21 15:48, Michael S. Tsirkin wrote:
> > > > When bus is looked up on a pci write, we didn't
> > > > validate that the lookup succeeded.
> > > > Fuzzers thus can trigger QEMU crash by dereferencing the NULL
> > > > bus pointer.
> > > >
> > > > Fixes: b32bd763a1 ("pci: introduce acpi-index property for PCI device")
> > > > Cc: "Igor Mammedov" <imammedo@redhat.com>
> > > > Fixes: https://gitlab.com/qemu-project/qemu/-/issues/770
> > > > Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
> > >
> > > It seems this problem is important enough to get a CVE assigned.
> >
> > Guest root can crash guest.
> > I don't see why we would assign a CVE.
>
> Well thinking about downstream distributions, if there is a CVE assigned,
> it helps them to have it written in the commit. Maybe I am mistaken.
>
> Unrelated but it seems there is a coordination problem with the
> qemu-security@ list,
> if this isn't a security issue, why was a CVE requested?
Right. I don't think a priveleged user crashing VM warrants a CVE,
it can just halt a CPU or whatever. Just cancel the CVE request pls.
> > > Mauro, please update us when you get the CVE number.
> > > Michael, please amend the CVE number before committing the fix.
> > >
> > > FWIW Paolo asked every fuzzed bug reproducer to be committed
> > > as qtest, see tests/qtest/fuzz*c. Alex has a way to generate
> > > reproducer in plain C.
> > >
> > > Regards,
> > >
> > > Phil.
> >
next prev parent reply other threads:[~2021-12-22 20:54 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-21 14:48 [PATCH] acpi: validate hotplug selector on access Michael S. Tsirkin
2021-12-21 14:58 ` Philippe Mathieu-Daudé
2021-12-21 16:37 ` Ani Sinha
2021-12-22 19:19 ` Philippe Mathieu-Daudé
2021-12-22 20:19 ` Michael S. Tsirkin
2021-12-22 20:27 ` Philippe Mathieu-Daudé
2021-12-22 20:52 ` Michael S. Tsirkin [this message]
2021-12-23 9:58 ` Mauro Matteo Cascella
2021-12-23 13:43 ` Michael S. Tsirkin
2021-12-23 20:46 ` Mauro Matteo Cascella
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211222154841-mutt-send-email-mst@kernel.org \
--to=mst@redhat.com \
--cc=alxndr@redhat.com \
--cc=ani@anisinha.ca \
--cc=imammedo@redhat.com \
--cc=mcascell@redhat.com \
--cc=pbonzini@redhat.com \
--cc=philmd@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.