* [Qemu-devel] [Bug 786209] [NEW] Information leak in IDE core
@ 2011-05-21 15:33 Nelson Elhage
2011-07-04 1:50 ` [Qemu-devel] [Bug 786209] " Qiao Liyong
2016-06-23 8:42 ` T. Huth
0 siblings, 2 replies; 3+ messages in thread
From: Nelson Elhage @ 2011-05-21 15:33 UTC (permalink / raw)
To: qemu-devel
*** This bug is a security vulnerability ***
Public security bug reported:
When the DRQ_STAT bit is set, the IDE core permits both data reads and
data writes, regardless of whether the current transfer was initiated as
a read or write.
Furthermore, the IO buffer is allocated via a qemu_memalign but not
initialized or cleared at device creation.
This potentially leaks uninitialized host memory into the guest, if,
before doing anything else to an IDE device, the guest begins a write
transaction (e.g. WIN_WRITE), but then *reads* from the IO port instead
of writing to it. The IDE core will happily return the uninitialized
contents of the buffer to the guest, potentially leaking offsets that
could be used as part of an attack to get around ASLR.
** Affects: qemu
Importance: Undecided
Status: New
** Visibility changed to: Public
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/786209
Title:
Information leak in IDE core
Status in QEMU:
New
Bug description:
When the DRQ_STAT bit is set, the IDE core permits both data reads and
data writes, regardless of whether the current transfer was initiated
as a read or write.
Furthermore, the IO buffer is allocated via a qemu_memalign but not
initialized or cleared at device creation.
This potentially leaks uninitialized host memory into the guest, if,
before doing anything else to an IDE device, the guest begins a write
transaction (e.g. WIN_WRITE), but then *reads* from the IO port
instead of writing to it. The IDE core will happily return the
uninitialized contents of the buffer to the guest, potentially leaking
offsets that could be used as part of an attack to get around ASLR.
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Qemu-devel] [Bug 786209] Re: Information leak in IDE core
2011-05-21 15:33 [Qemu-devel] [Bug 786209] [NEW] Information leak in IDE core Nelson Elhage
@ 2011-07-04 1:50 ` Qiao Liyong
2016-06-23 8:42 ` T. Huth
1 sibling, 0 replies; 3+ messages in thread
From: Qiao Liyong @ 2011-07-04 1:50 UTC (permalink / raw)
To: qemu-devel
hi Nelson :
what 's the flag 'DRQ_STAT' mean for HD_STATUS ?
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/786209
Title:
Information leak in IDE core
Status in QEMU:
New
Bug description:
When the DRQ_STAT bit is set, the IDE core permits both data reads and
data writes, regardless of whether the current transfer was initiated
as a read or write.
Furthermore, the IO buffer is allocated via a qemu_memalign but not
initialized or cleared at device creation.
This potentially leaks uninitialized host memory into the guest, if,
before doing anything else to an IDE device, the guest begins a write
transaction (e.g. WIN_WRITE), but then *reads* from the IO port
instead of writing to it. The IDE core will happily return the
uninitialized contents of the buffer to the guest, potentially leaking
offsets that could be used as part of an attack to get around ASLR.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/786209/+subscriptions
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Qemu-devel] [Bug 786209] Re: Information leak in IDE core
2011-05-21 15:33 [Qemu-devel] [Bug 786209] [NEW] Information leak in IDE core Nelson Elhage
2011-07-04 1:50 ` [Qemu-devel] [Bug 786209] " Qiao Liyong
@ 2016-06-23 8:42 ` T. Huth
1 sibling, 0 replies; 3+ messages in thread
From: T. Huth @ 2016-06-23 8:42 UTC (permalink / raw)
To: qemu-devel
Fixed here:
http://git.qemu.org/?p=qemu.git;a=commitdiff;h=40c4ed3f95f0b2ffa0848df0f
** Changed in: qemu
Status: New => Fix Released
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/786209
Title:
Information leak in IDE core
Status in QEMU:
Fix Released
Bug description:
When the DRQ_STAT bit is set, the IDE core permits both data reads and
data writes, regardless of whether the current transfer was initiated
as a read or write.
Furthermore, the IO buffer is allocated via a qemu_memalign but not
initialized or cleared at device creation.
This potentially leaks uninitialized host memory into the guest, if,
before doing anything else to an IDE device, the guest begins a write
transaction (e.g. WIN_WRITE), but then *reads* from the IO port
instead of writing to it. The IDE core will happily return the
uninitialized contents of the buffer to the guest, potentially leaking
offsets that could be used as part of an attack to get around ASLR.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/786209/+subscriptions
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-06-23 8:51 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-05-21 15:33 [Qemu-devel] [Bug 786209] [NEW] Information leak in IDE core Nelson Elhage
2011-07-04 1:50 ` [Qemu-devel] [Bug 786209] " Qiao Liyong
2016-06-23 8:42 ` T. Huth
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.