Created attachment 1845942 [details] Steps to Reproduce Created attachment 1845942 [details] Steps to Reproduce Description of problem: An invalid pointer initialization issue was found in /hw/acpi/pcihp.c:470:9 of QEMU in versions 6.2.0-rc2.Successful exploitation of this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). Version-Release number of selected component (if applicable): 6.2.0-rc2 How reproducible: https://gitlab.com/qemu-project/qemu/-/issues/770 Steps to Reproduce: https://gitlab.com/qemu-project/qemu/-/issues/770 Actual results: disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS) Expected results: Remote code execution Upstream issue: https://gitlab.com/qemu-project/qemu/-/issues/770
This vulnerability is caused by the lax inspection of bus variables in function pci_write of /hw/acpi/pcihp.c. In this function, bus may be NULL. It may be fixed by this: @@ -491,6 +491,9 @@ static void pci_write(void *opaque, hwaddr addr, uint64_t data, } bus = acpi_pcihp_find_hotplug_bus(s, s->hotplug_select); + if (!bus) { + break; + } QTAILQ_FOREACH_SAFE(kid, &bus->qbus.children, sibling, next) { Object *o = OBJECT(kid->child); PCIDevice *dev = PCI_DEVICE(o); This patch is provided by qemu team. After my local test, the patched program does not crash due to the same input.
*** Bug 2032920 has been marked as a duplicate of this bug. ***