From: "Philippe Mathieu-Daudé" <philmd@redhat.com>
To: "Michael S. Tsirkin" <mst@redhat.com>, qemu-devel@nongnu.org
Cc: Ani Sinha <ani@anisinha.ca>, Igor Mammedov <imammedo@redhat.com>,
Mauro Matteo Cascella <mcascell@redhat.com>,
Alexander Bulekov <alxndr@redhat.com>,
Paolo Bonzini <pbonzini@redhat.com>
Subject: Re: [PATCH] acpi: validate hotplug selector on access
Date: Wed, 22 Dec 2021 20:19:41 +0100 [thread overview]
Message-ID: <ad22de10-a52c-ff34-0790-3be8e7d62630@redhat.com> (raw)
In-Reply-To: <20211221144852.589983-1-mst@redhat.com>
+Mauro & Alex
On 12/21/21 15:48, Michael S. Tsirkin wrote:
> When bus is looked up on a pci write, we didn't
> validate that the lookup succeeded.
> Fuzzers thus can trigger QEMU crash by dereferencing the NULL
> bus pointer.
>
> Fixes: b32bd763a1 ("pci: introduce acpi-index property for PCI device")
> Cc: "Igor Mammedov" <imammedo@redhat.com>
> Fixes: https://gitlab.com/qemu-project/qemu/-/issues/770
> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
It seems this problem is important enough to get a CVE assigned.
Mauro, please update us when you get the CVE number.
Michael, please amend the CVE number before committing the fix.
FWIW Paolo asked every fuzzed bug reproducer to be committed
as qtest, see tests/qtest/fuzz*c. Alex has a way to generate
reproducer in plain C.
Regards,
Phil.
next prev parent reply other threads:[~2021-12-22 19:28 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-21 14:48 [PATCH] acpi: validate hotplug selector on access Michael S. Tsirkin
2021-12-21 14:58 ` Philippe Mathieu-Daudé
2021-12-21 16:37 ` Ani Sinha
2021-12-22 19:19 ` Philippe Mathieu-Daudé [this message]
2021-12-22 20:19 ` Michael S. Tsirkin
2021-12-22 20:27 ` Philippe Mathieu-Daudé
2021-12-22 20:52 ` Michael S. Tsirkin
2021-12-23 9:58 ` Mauro Matteo Cascella
2021-12-23 13:43 ` Michael S. Tsirkin
2021-12-23 20:46 ` Mauro Matteo Cascella
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ad22de10-a52c-ff34-0790-3be8e7d62630@redhat.com \
--to=philmd@redhat.com \
--cc=alxndr@redhat.com \
--cc=ani@anisinha.ca \
--cc=imammedo@redhat.com \
--cc=mcascell@redhat.com \
--cc=mst@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).