[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [BUG] user-to-root privesc inside VM via bad translatio
From: |
Peter Maydell |
Subject: |
Re: [Qemu-devel] [BUG] user-to-root privesc inside VM via bad translation caching |
Date: |
Mon, 20 Mar 2017 14:46:39 +0000 |
On 20 March 2017 at 14:36, Jann Horn <address@hidden> wrote:
> This is an issue in QEMU's system emulation for X86 in TCG mode.
> The issue permits an attacker who can execute code in guest ring 3
> with normal user privileges to inject code into other processes that
> are running in guest ring 3, in particular root-owned processes.
> I am sending this to qemu-devel because a QEMU security contact
> told me that QEMU does not consider privilege escalation inside a
> TCG VM to be a security concern.
Correct; it's just a bug. Don't trust TCG QEMU as a security boundary.
We should really fix the crossing-a-page-boundary code for x86.
I believe we do get it correct for ARM Thumb instructions.
thanks
-- PMM
- [Qemu-devel] [BUG] user-to-root privesc inside VM via bad translation caching, Jann Horn, 2017/03/20
- Re: [Qemu-devel] [BUG] user-to-root privesc inside VM via bad translation caching,
Peter Maydell <=
- Re: [Qemu-devel] [BUG] user-to-root privesc inside VM via bad translation caching, Pranith Kumar, 2017/03/22
- Re: [Qemu-devel] [BUG] user-to-root privesc inside VM via bad translation caching, Peter Maydell, 2017/03/22
- Re: [Qemu-devel] [BUG] user-to-root privesc inside VM via bad translation caching, Pranith Kumar, 2017/03/22
- Re: [Qemu-devel] [BUG] user-to-root privesc inside VM via bad translation caching, Peter Maydell, 2017/03/22
- Re: [Qemu-devel] [BUG] user-to-root privesc inside VM via bad translation caching, Pranith Kumar, 2017/03/22
- Re: [Qemu-devel] [BUG] user-to-root privesc inside VM via bad translation caching, Richard Henderson, 2017/03/22
- Re: [Qemu-devel] [BUG] user-to-root privesc inside VM via bad translation caching, Paolo Bonzini, 2017/03/23
- Re: [Qemu-devel] [BUG] user-to-root privesc inside VM via bad translation caching, Pranith Kumar, 2017/03/23
- Re: [Qemu-devel] [BUG] user-to-root privesc inside VM via bad translation caching, Paolo Bonzini, 2017/03/23
- Re: [Qemu-devel] [BUG] user-to-root privesc inside VM via bad translation caching, Pranith Kumar, 2017/03/23