* another invalid memory access, now xen: acpi-cnt
@ 2020-07-20 14:56 Michael Tokarev
2020-07-20 15:02 ` Michael Tokarev
0 siblings, 1 reply; 2+ messages in thread
From: Michael Tokarev @ 2020-07-20 14:56 UTC (permalink / raw)
To: qemu-devel qemu-devel, Michael S. Tsirkin
See https://bugs.launchpad.net/qemu/+bug/1886318 , in particular
the #13 in there (the patch) - I applied this to qemu which crashes
after revert-memory-accept-mismatching-sizes-in-memory_region_access_valid-CVE-2020-13754.patch
when run as the device model for Xen HVM domU. Here's the output:
invalid size: acpi-cnt addr 0 size: 1
invalid size: acpi-cnt addr 0 size: 1
after this it just dies.
This is another incarnation of LP#1886318 .
What can we do here?
Thanks,
/mjt
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: another invalid memory access, now xen: acpi-cnt
2020-07-20 14:56 another invalid memory access, now xen: acpi-cnt Michael Tokarev
@ 2020-07-20 15:02 ` Michael Tokarev
0 siblings, 0 replies; 2+ messages in thread
From: Michael Tokarev @ 2020-07-20 15:02 UTC (permalink / raw)
To: qemu-devel qemu-devel, Michael S. Tsirkin
20.07.2020 17:56, Michael Tokarev wrote:
> See https://bugs.launchpad.net/qemu/+bug/1886318 , in particular
> the #13 in there (the patch) - I applied this to qemu which crashes
> after revert-memory-accept-mismatching-sizes-in-memory_region_access_valid-CVE-2020-13754.patch
> when run as the device model for Xen HVM domU. Here's the output:
>
> invalid size: acpi-cnt addr 0 size: 1
> invalid size: acpi-cnt addr 0 size: 1
>
> after this it just dies.
>
> This is another incarnation of LP#1886318 .
> What can we do here?
This fixes it:
diff --git a/hw/acpi/core.c b/hw/acpi/core.c
index 45cbed49abd..2cfb9bdc177 100644
--- a/hw/acpi/core.c
+++ b/hw/acpi/core.c
@@ -602,7 +602,8 @@ static void acpi_pm_cnt_write(void *opaque, hwaddr addr, uint64_t val,
static const MemoryRegionOps acpi_pm_cnt_ops = {
.read = acpi_pm_cnt_read,
.write = acpi_pm_cnt_write,
- .valid.min_access_size = 2,
+ .impl.min_access_size = 2,
+ .valid.min_access_size = 1,
.valid.max_access_size = 2,
.endianness = DEVICE_LITTLE_ENDIAN,
};
But this time it's qemu itself - apparently - who tries to access this register.
/mjt
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-07-20 15:07 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-20 14:56 another invalid memory access, now xen: acpi-cnt Michael Tokarev
2020-07-20 15:02 ` Michael Tokarev
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.