| QEMU, through version 2.10 and through version 3.1.0, is vulnerable to an |
| out-of-bounds read of up to 128 bytes in the hw/i2c/i2c-ddc.c:i2c_ddc() |
| function. A local attacker with permission to execute i2c commands could exploit |
| this to read stack memory of the qemu process on the host. |
| |
| CVE: CVE-2019-3812 |
| Upstream-Status: Backport |
| Signed-off-by: Ross Burton <ross.burton@intel.com> |
| |
| From b05b267840515730dbf6753495d5b7bd8b04ad1c Mon Sep 17 00:00:00 2001 |
| From: Gerd Hoffmann <kraxel@redhat.com> |
| Date: Tue, 8 Jan 2019 11:23:01 +0100 |
| Subject: [PATCH] i2c-ddc: fix oob read |
| MIME-Version: 1.0 |
| Content-Type: text/plain; charset=UTF-8 |
| Content-Transfer-Encoding: 8bit |
| |
| Suggested-by: Michael Hanselmann <public@hansmi.ch> |
| Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> |
| Reviewed-by: Michael Hanselmann <public@hansmi.ch> |
| Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> |
| Message-id: 20190108102301.1957-1-kraxel@redhat.com |
| --- |
| hw/i2c/i2c-ddc.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| diff --git a/hw/i2c/i2c-ddc.c b/hw/i2c/i2c-ddc.c |
| index be34fe072cf..0a0367ff38f 100644 |
| --- a/hw/i2c/i2c-ddc.c |
| +++ b/hw/i2c/i2c-ddc.c |
| @@ -56,7 +56,7 @@ static int i2c_ddc_rx(I2CSlave *i2c) |
| I2CDDCState *s = I2CDDC(i2c); |
| |
| int value; |
| - value = s->edid_blob[s->reg]; |
| + value = s->edid_blob[s->reg % sizeof(s->edid_blob)]; |
| s->reg++; |
| return value; |
| } |