[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: another invalid memory access, now xen: acpi-cnt
From: |
Michael Tokarev |
Subject: |
Re: another invalid memory access, now xen: acpi-cnt |
Date: |
Mon, 20 Jul 2020 18:02:21 +0300 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 |
20.07.2020 17:56, Michael Tokarev wrote:
> See https://bugs.launchpad.net/qemu/+bug/1886318 , in particular
> the #13 in there (the patch) - I applied this to qemu which crashes
> after
> revert-memory-accept-mismatching-sizes-in-memory_region_access_valid-CVE-2020-13754.patch
> when run as the device model for Xen HVM domU. Here's the output:
>
> invalid size: acpi-cnt addr 0 size: 1
> invalid size: acpi-cnt addr 0 size: 1
>
> after this it just dies.
>
> This is another incarnation of LP#1886318 .
> What can we do here?
This fixes it:
diff --git a/hw/acpi/core.c b/hw/acpi/core.c
index 45cbed49abd..2cfb9bdc177 100644
--- a/hw/acpi/core.c
+++ b/hw/acpi/core.c
@@ -602,7 +602,8 @@ static void acpi_pm_cnt_write(void *opaque, hwaddr addr,
uint64_t val,
static const MemoryRegionOps acpi_pm_cnt_ops = {
.read = acpi_pm_cnt_read,
.write = acpi_pm_cnt_write,
- .valid.min_access_size = 2,
+ .impl.min_access_size = 2,
+ .valid.min_access_size = 1,
.valid.max_access_size = 2,
.endianness = DEVICE_LITTLE_ENDIAN,
};
But this time it's qemu itself - apparently - who tries to access this register.
/mjt