qemu/hw
Prasad J Pandit f2609ffdf3 i2c: pm_smbus: check smb_index before block transfer write
While performing block transfer write in smb_ioport_writeb(),
'smb_index' is incremented and used to index smb_data[] array.
Check 'smb_index' value to avoid OOB access.

Note that this bug is exploitable by a guest to escape
from the virtual machine. However the commit which
introduced the bug was only made after the 3.0 release,
and so it is not present in any released QEMU versions.

Fixes: 38ad4fae43 i2c: pm_smbus: Add block transfer capability
Reported-by: Michael Hanselmann <public@hansmi.ch>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Li Qiang <liq3ea@gmail.com>
Reviewed-by: Michael Hanselmann <public@hansmi.ch>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Message-id: 20181206121830.6177-1-ppandit@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-12-06 15:51:57 +00:00
..
9pfs 9p: fix QEMU crash when renaming files 2018-11-23 13:28:03 +01:00
acpi hw/acpi/nvdimm: Don't take address of fields in packed structs 2018-11-12 15:14:06 +00:00
adc Include qapi/error.h exactly where needed 2018-02-09 13:50:17 +01:00
alpha hw/alpha/typhoon: Remove unuseful code 2018-10-24 06:44:59 -03:00
arm hw/arm/aspeed: Fix build issue with clang 3.4 2018-11-28 13:51:41 +00:00
audio audio/hda: fix guest triggerable assert 2018-11-27 07:47:57 +01:00
block nvme: Fix spurious interrupts 2018-11-27 12:59:00 +01:00
bt hw/bt: Replace fprintf(stderr, "*\n" with error_report() 2018-01-22 09:51:00 +01:00
char hw/arm/stm32f205: Fix the UART and Timer region size 2018-11-19 15:29:08 +00:00
core Machine queue, 2018-10-25 2018-10-25 20:17:12 +01:00
cpu hw/cpu/a15mpcore: If CPU has EL2, enable it on the GIC and wire it up 2018-08-24 13:17:34 +01:00
cris hw/cris: Use the IEC binary prefix definitions 2018-07-02 15:41:15 +02:00
display vmstate: constify VMStateField 2018-11-27 15:35:15 +01:00
dma hw/dma/pl080: Remove hw_error() if DMA is enabled 2018-08-20 11:24:33 +01:00
gpio hw/i2c: Use DeviceClass::realize instead of I2CSlaveClass::init 2018-06-01 15:14:31 +02:00
hppa hw/hppa/dino: Remove unuseful code 2018-10-24 06:44:59 -03:00
hyperv hw/hyperv: fix NULL dereference with pure-kvm SynIC 2018-11-26 14:14:38 -02:00
i2c i2c: pm_smbus: check smb_index before block transfer write 2018-12-06 15:51:57 +00:00
i386 hw/i386: add pc-i440fx-3.1 & pc-q35-3.1 2018-11-20 11:42:32 -02:00
ide replay: replay BH for IDE trim operation 2018-10-02 19:09:13 +02:00
input ps2kbd: default to scan enabled after reset 2018-11-27 07:47:50 +01:00
intc vmstate: constify VMStateField 2018-11-27 15:35:15 +01:00
ipack hw/ipack: Use the IEC binary prefix definitions 2018-07-02 15:41:12 +02:00
ipmi ipmi: Use proper struct reference for BT vmstate 2018-08-23 18:46:25 +02:00
isa configs: Add a CONFIG_SMC37C669 switch for the "smc37c669-superio" device 2018-10-24 07:33:44 +01:00
lm32 milkymist: Check for failure trying to load BIOS image 2018-11-06 11:32:14 +00:00
m68k hw/m68k: Use the IEC binary prefix definitions 2018-07-02 15:41:14 +02:00
mem nvdimm: set non-volatile on the memory region 2018-11-06 21:35:05 +01:00
microblaze hw/microblaze/xlnx-zynqmp-pmu: Fix introspection problem in 'xlnx, zynqmp-pmu-soc' 2018-07-23 15:21:25 +01:00
mips hw/mips/malta: Remove unuseful code 2018-10-24 06:44:59 -03:00
misc pc-testdev: use HTTPS git URL 2018-11-12 11:26:02 +00:00
moxie change get_image_size return type to int64_t 2018-10-02 19:08:49 +02:00
net net: cadence_gem: Remove incorrect assert() 2018-11-26 13:41:42 +00:00
nios2 hw/nios2: Use the IEC binary prefix definitions 2018-07-02 15:41:15 +02:00
nvram vmstate: constify VMStateField 2018-11-27 15:35:15 +01:00
openrisc Change references to serial_hds[] to serial_hd() 2018-04-26 13:57:00 +01:00
pci vmstate: constify VMStateField 2018-11-27 15:35:15 +01:00
pci-bridge hw/pci-bridge/ioh3420: Remove unuseful header 2018-11-05 13:24:02 -05:00
pci-host ppc patch queue 2018-11-08 2018-11-08 14:42:37 +00:00
pcmcia hw: Clean up includes 2016-01-29 15:07:25 +00:00
ppc ppc/spapr_caps: Add SPAPR_CAP_NESTED_KVM_HV 2018-11-08 13:08:35 +11:00
rdma config: split PVRDMA from RDMA 2018-08-18 18:01:34 +03:00
riscv hw/riscv/virt: Free the test device tree node name 2018-11-13 15:12:13 -08:00
s390x s390x/pci: properly fail if the zPCI device cannot be created 2018-11-13 16:46:55 +01:00
scsi vmstate: constify VMStateField 2018-11-27 15:35:15 +01:00
sd ssi-sd: Make devices picking up backends unavailable with -device 2018-10-24 07:50:16 +01:00
sh4 hw/sh4/sh_pci: Use DeviceState::realize rather than SysBusDevice::init 2018-10-24 06:44:59 -03:00
smbios smbios: Clean up error handling in smbios_add() 2018-10-19 14:51:34 +02:00
sparc sun4m: don't use legacy fw_cfg_init_mem() function 2018-08-20 19:18:31 +01:00
sparc64 hw/sparc64/niagara: Model the I/O Bridge with the 'unimplemented_device' 2018-10-24 06:44:59 -03:00
ssi hw/ssi/xilinx_spi: Use DeviceState::realize rather than SysBusDevice::init 2018-10-24 06:44:59 -03:00
timer vmstate: constify VMStateField 2018-11-27 15:35:15 +01:00
tpm tpm: use loop iterator to set sts data field 2018-11-14 15:47:24 -05:00
tricore hw/tricore: Use the IEC binary prefix definitions 2018-07-02 15:41:14 +02:00
unicore32 hw/input/i8042: Extract declarations from i386/pc.h into input/i8042.h 2018-03-12 16:12:48 +01:00
usb usb: mtp fixes. 2018-12-03 19:57:59 +00:00
vfio s390x/vfio-ap: report correct error 2018-11-05 09:55:01 +01:00
virtio vmstate: constify VMStateField 2018-11-27 15:35:15 +01:00
watchdog qapi: Drop qapi_event_send_FOO()'s Error ** argument 2018-08-28 18:21:38 +02:00
xen xen: Use the PCI_DEVICE macro 2018-10-26 17:17:32 +02:00
xenpv hw/xen: Use the IEC binary prefix definitions 2018-07-02 15:41:13 +02:00
xtensa target/xtensa: xtfpga: provide default memory sizes 2018-11-21 10:53:21 -08:00
Makefile.objs memory-device: introduce separate config option 2018-10-24 06:44:59 -03:00