Brad Bishop | 1932369 | 2019-04-05 15:28:33 -0400 | [diff] [blame^] | 1 | QEMU, through version 2.10 and through version 3.1.0, is vulnerable to an |
| 2 | out-of-bounds read of up to 128 bytes in the hw/i2c/i2c-ddc.c:i2c_ddc() |
| 3 | function. A local attacker with permission to execute i2c commands could exploit |
| 4 | this to read stack memory of the qemu process on the host. |
| 5 | |
| 6 | CVE: CVE-2019-3812 |
| 7 | Upstream-Status: Backport |
| 8 | Signed-off-by: Ross Burton <ross.burton@intel.com> |
| 9 | |
| 10 | From b05b267840515730dbf6753495d5b7bd8b04ad1c Mon Sep 17 00:00:00 2001 |
| 11 | From: Gerd Hoffmann <kraxel@redhat.com> |
| 12 | Date: Tue, 8 Jan 2019 11:23:01 +0100 |
| 13 | Subject: [PATCH] i2c-ddc: fix oob read |
| 14 | MIME-Version: 1.0 |
| 15 | Content-Type: text/plain; charset=UTF-8 |
| 16 | Content-Transfer-Encoding: 8bit |
| 17 | |
| 18 | Suggested-by: Michael Hanselmann <public@hansmi.ch> |
| 19 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> |
| 20 | Reviewed-by: Michael Hanselmann <public@hansmi.ch> |
| 21 | Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> |
| 22 | Message-id: 20190108102301.1957-1-kraxel@redhat.com |
| 23 | --- |
| 24 | hw/i2c/i2c-ddc.c | 2 +- |
| 25 | 1 file changed, 1 insertion(+), 1 deletion(-) |
| 26 | |
| 27 | diff --git a/hw/i2c/i2c-ddc.c b/hw/i2c/i2c-ddc.c |
| 28 | index be34fe072cf..0a0367ff38f 100644 |
| 29 | --- a/hw/i2c/i2c-ddc.c |
| 30 | +++ b/hw/i2c/i2c-ddc.c |
| 31 | @@ -56,7 +56,7 @@ static int i2c_ddc_rx(I2CSlave *i2c) |
| 32 | I2CDDCState *s = I2CDDC(i2c); |
| 33 | |
| 34 | int value; |
| 35 | - value = s->edid_blob[s->reg]; |
| 36 | + value = s->edid_blob[s->reg % sizeof(s->edid_blob)]; |
| 37 | s->reg++; |
| 38 | return value; |
| 39 | } |