[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [Qemu-block] [QEMU-SECURITY] ide: fix assertion in ide_
Re: [Qemu-devel] [Qemu-block] [QEMU-SECURITY] ide: fix assertion in ide_dma_cb() to prevent qemu DoS from quest
Tue, 16 Jul 2019 10:57:14 -0400
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.2
On 7/16/19 7:25 AM, Kevin Wolf wrote:
> Am 15.07.2019 um 13:24 hat Alexander Popov geschrieben:
>> On 05.07.2019 17:07, Alexander Popov wrote:
>>> This assertion was introduced in the commit a718978ed58a in July 2015.
>>> It implies that the size of successful DMA transfers handled in
>>> ide_dma_cb() should be multiple of 512 (the size of a sector).
>>> But guest systems can initiate DMA transfers that don't fit this
>>> requirement. Let's improve the assertion to prevent qemu DoS from quests.
>> Just a friendly ping.
>> Could you have a look at this patch?
> John, I think this is for you.
> I haven't reviewed this yet, but if we put an assertion there that the
> request is aligned, we probably rely on this fact somewhere in the code.
> So I suspect that just changing the assertion without changing other
> code, too, might not be enough.
Right; I'm aware of the patch. It's on the list to investigate today.
I have the same concern that the assertion intuits a bug elsewhere, so I
wanted to give this one a thorough investigation before inclusion for rc1.
Sorry for the delay, it IS on my list, but I also feel that a privileged
DOS by a guest of a legacy device is actually low priority
security-wise, unless we can demonstrate that there are side effects
that can be exploited.