qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH 0/7] ATAPI CDROM passthrough v5

From: Carl-Daniel Hailfinger
Subject: Re: [Qemu-devel] [PATCH 0/7] ATAPI CDROM passthrough v5
Date: Sat, 29 Aug 2009 23:10:42 +0200
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.19) Gecko/20081213 SUSE/1.1.14-1.1 SeaMonkey/1.1.14 
On 29.08.2009 22:49, Anthony Liguori wrote:
> Carl-Daniel Hailfinger wrote:
>> On 28.08.2009 22:21, Bique Alexandre wrote:
>>  
>>> On Wednesday 12 August 2009 17:18:13 Ian Jackson wrote:
>>>      
>>>>> Also, I think Paul and I both requested that fw upgrade not be
>>>>> disabled by default.
>>>>>               
>>>> As previously discussed I think this is a mistake, but it's a decision
>>>> for qemu upstream to make so I have changed this. 
>>
>> Anyone up for writing a security advisory about this?
>
> Eh?
>
> If you do hardware passthrough, the guest can mess up the device. 
> This is always going to be true and it's a security problem IMHO to
> make the user think anything other than that.

The guest can also mess up other devices with the help of specially
crafted firmware. So even if the user does not care about the effects on
a particular device, a firmware upgrade might affect other devices
(which are not used by Qemu in any way) as well. As a result, this is
essentially a "break out of qemu or DoS the machine under certain
conditions" feature. If that particular side effect / feature is
documented, users who read the documentation won't get any nasty surprises.
If that's what you intended to say, I apologize for the misunderstanding.

Regards,
Carl-Daniel

> Regards,
>
> Anthony Liguori
reply via email to
[Prev in Thread] Current Thread [Next in Thread]