Re: [Qemu-devel] [BUG] user-to-root privesc inside VM via bad translatio

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [BUG] user-to-root privesc inside VM via bad translatio

From:	Peter Maydell
Subject:	Re: [Qemu-devel] [BUG] user-to-root privesc inside VM via bad translation caching
Date:	Mon, 20 Mar 2017 14:46:39 +0000

On 20 March 2017 at 14:36, Jann Horn <address@hidden> wrote:
> This is an issue in QEMU's system emulation for X86 in TCG mode.
> The issue permits an attacker who can execute code in guest ring 3
> with normal user privileges to inject code into other processes that
> are running in guest ring 3, in particular root-owned processes.

> I am sending this to qemu-devel because a QEMU security contact
> told me that QEMU does not consider privilege escalation inside a
> TCG VM to be a security concern.

Correct; it's just a bug. Don't trust TCG QEMU as a security boundary.

We should really fix the crossing-a-page-boundary code for x86.
I believe we do get it correct for ARM Thumb instructions.

thanks
-- PMM

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] [BUG] user-to-root privesc inside VM via bad translation caching, Jann Horn, 2017/03/20
- Re: [Qemu-devel] [BUG] user-to-root privesc inside VM via bad translation caching, Peter Maydell <=
  - Re: [Qemu-devel] [BUG] user-to-root privesc inside VM via bad translation caching, Pranith Kumar, 2017/03/22
    - Re: [Qemu-devel] [BUG] user-to-root privesc inside VM via bad translation caching, Peter Maydell, 2017/03/22
    - Re: [Qemu-devel] [BUG] user-to-root privesc inside VM via bad translation caching, Pranith Kumar, 2017/03/22
    - Re: [Qemu-devel] [BUG] user-to-root privesc inside VM via bad translation caching, Peter Maydell, 2017/03/22
    - Re: [Qemu-devel] [BUG] user-to-root privesc inside VM via bad translation caching, Pranith Kumar, 2017/03/22
    - Re: [Qemu-devel] [BUG] user-to-root privesc inside VM via bad translation caching, Richard Henderson, 2017/03/22
    - Re: [Qemu-devel] [BUG] user-to-root privesc inside VM via bad translation caching, Paolo Bonzini, 2017/03/23
    - Re: [Qemu-devel] [BUG] user-to-root privesc inside VM via bad translation caching, Pranith Kumar, 2017/03/23
    - Re: [Qemu-devel] [BUG] user-to-root privesc inside VM via bad translation caching, Paolo Bonzini, 2017/03/23
    - Re: [Qemu-devel] [BUG] user-to-root privesc inside VM via bad translation caching, Pranith Kumar, 2017/03/23

Prev by Date: [Qemu-devel] [PATCH v2] hmp: gpa2hva and gpa2hpa hostaddr command
Next by Date: Re: [Qemu-devel] [Xen-devel] [RFC PATCH 0/4] Qemu: Add Xen vIOMMU support
Previous by thread: [Qemu-devel] [BUG] user-to-root privesc inside VM via bad translation caching
Next by thread: Re: [Qemu-devel] [BUG] user-to-root privesc inside VM via bad translation caching
Index(es):
- Date
- Thread