On 04/12/2010 04:57 AM, wzt.wzt@xxxxxxxxx wrote:
coalesced_mmio_write() is not check the len value, if len is negative, memcpy(ring->coalesced_mmio[ring->last].data, val, len); will cause stack buffer overflow.
How can len be negative? It can only be between 1 and 8. -- I have a truly marvellous patch that fixes the bug which this signature is too narrow to contain. -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
