All of lore.kernel.org
 help / color / mirror / Atom feed
* [Qemu-devel] [Bug 786209] [NEW] Information leak in IDE core
@ 2011-05-21 15:33 Nelson Elhage
  2011-07-04  1:50 ` [Qemu-devel] [Bug 786209] " Qiao Liyong
  2016-06-23  8:42 ` T. Huth
  0 siblings, 2 replies; 3+ messages in thread
From: Nelson Elhage @ 2011-05-21 15:33 UTC (permalink / raw)
  To: qemu-devel

*** This bug is a security vulnerability ***

Public security bug reported:

When the DRQ_STAT bit is set, the IDE core permits both data reads and
data writes, regardless of whether the current transfer was initiated as
a read or write.

Furthermore, the IO buffer is allocated via a qemu_memalign but not
initialized or cleared at device creation.

This potentially leaks uninitialized host memory into the guest, if,
before doing anything else to an IDE device, the guest begins a write
transaction (e.g. WIN_WRITE), but then *reads* from the IO port instead
of writing to it. The IDE core will happily return the uninitialized
contents of the buffer to the guest, potentially leaking offsets that
could be used as part of an attack to get around ASLR.

** Affects: qemu
     Importance: Undecided
         Status: New

** Visibility changed to: Public

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/786209

Title:
  Information leak in IDE core

Status in QEMU:
  New

Bug description:
  When the DRQ_STAT bit is set, the IDE core permits both data reads and
  data writes, regardless of whether the current transfer was initiated
  as a read or write.

  Furthermore, the IO buffer is allocated via a qemu_memalign but not
  initialized or cleared at device creation.

  This potentially leaks uninitialized host memory into the guest, if,
  before doing anything else to an IDE device, the guest begins a write
  transaction (e.g. WIN_WRITE), but then *reads* from the IO port
  instead of writing to it. The IDE core will happily return the
  uninitialized contents of the buffer to the guest, potentially leaking
  offsets that could be used as part of an attack to get around ASLR.

^ permalink raw reply	[flat|nested] 3+ messages in thread
* [Qemu-devel] [Bug 786209] Re: Information leak in IDE core
  2011-05-21 15:33 [Qemu-devel] [Bug 786209] [NEW] Information leak in IDE core Nelson Elhage
@ 2011-07-04  1:50 ` Qiao Liyong
  2016-06-23  8:42 ` T. Huth
  1 sibling, 0 replies; 3+ messages in thread
From: Qiao Liyong @ 2011-07-04  1:50 UTC (permalink / raw)
  To: qemu-devel

hi Nelson :
    
    what 's the flag 'DRQ_STAT' mean for   HD_STATUS ?

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/786209

Title:
  Information leak in IDE core

Status in QEMU:
  New

Bug description:
  When the DRQ_STAT bit is set, the IDE core permits both data reads and
  data writes, regardless of whether the current transfer was initiated
  as a read or write.

  Furthermore, the IO buffer is allocated via a qemu_memalign but not
  initialized or cleared at device creation.

  This potentially leaks uninitialized host memory into the guest, if,
  before doing anything else to an IDE device, the guest begins a write
  transaction (e.g. WIN_WRITE), but then *reads* from the IO port
  instead of writing to it. The IDE core will happily return the
  uninitialized contents of the buffer to the guest, potentially leaking
  offsets that could be used as part of an attack to get around ASLR.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/786209/+subscriptions

^ permalink raw reply	[flat|nested] 3+ messages in thread
* [Qemu-devel] [Bug 786209] Re: Information leak in IDE core
  2011-05-21 15:33 [Qemu-devel] [Bug 786209] [NEW] Information leak in IDE core Nelson Elhage
  2011-07-04  1:50 ` [Qemu-devel] [Bug 786209] " Qiao Liyong
@ 2016-06-23  8:42 ` T. Huth
  1 sibling, 0 replies; 3+ messages in thread
From: T. Huth @ 2016-06-23  8:42 UTC (permalink / raw)
  To: qemu-devel

Fixed here:
http://git.qemu.org/?p=qemu.git;a=commitdiff;h=40c4ed3f95f0b2ffa0848df0f

** Changed in: qemu
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/786209

Title:
  Information leak in IDE core

Status in QEMU:
  Fix Released

Bug description:
  When the DRQ_STAT bit is set, the IDE core permits both data reads and
  data writes, regardless of whether the current transfer was initiated
  as a read or write.

  Furthermore, the IO buffer is allocated via a qemu_memalign but not
  initialized or cleared at device creation.

  This potentially leaks uninitialized host memory into the guest, if,
  before doing anything else to an IDE device, the guest begins a write
  transaction (e.g. WIN_WRITE), but then *reads* from the IO port
  instead of writing to it. The IDE core will happily return the
  uninitialized contents of the buffer to the guest, potentially leaking
  offsets that could be used as part of an attack to get around ASLR.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/786209/+subscriptions

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-06-23  8:51 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-05-21 15:33 [Qemu-devel] [Bug 786209] [NEW] Information leak in IDE core Nelson Elhage
2011-07-04  1:50 ` [Qemu-devel] [Bug 786209] " Qiao Liyong
2016-06-23  8:42 ` T. Huth

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.