On Mon, 24 Oct 2016 09:02:19 GMT, azureyang# wrote:
> I found a OOB read/write bug that can cause code execution on host.
> The relation code is in
> s->data[n][p] = value;
> return s->data[n][p];
> failed to check the border of the passed value, the packet_num and ptr
> can be set by guest mmio operations. With the overwrite of s->mmio-
> >ops, code execution can be achieved.
Thank you so much for reporting this issue. A patch has been sent upstream to fix this issue.
IIUC, the SMSC91C111 ethernet controller is used on the ARM Versatile EP and other similar platforms. Which are mostly used in the prototype development environments. These platforms are not generally used with KVM to provide virtualised guest environments. We could not consider this issue for a CVE as the upstream Qemu project does not consider these issues to be security relevant.