From: John Snow <jsnow@redhat.com>
To: Kevin Wolf <kwolf@redhat.com>, Alexander Popov <alex.popov@linux.com>
Cc: sstabellini@kernel.org, pmatouse@redhat.com,
mdroth@linux.vnet.ibm.com, qemu-block@nongnu.org, mst@redhat.com,
qemu-devel@nongnu.org, qemu-stable@nongnu.org, pjp@redhat.com
Subject: Re: [Qemu-devel] [Qemu-block] [QEMU-SECURITY] ide: fix assertion in ide_dma_cb() to prevent qemu DoS from quest
Date: Tue, 16 Jul 2019 10:57:14 -0400 [thread overview]
Message-ID: <52979901-15a7-ee2c-80d7-4cbbc99f461c@redhat.com> (raw)
In-Reply-To: <20190716112535.GB7297@linux.fritz.box>
On 7/16/19 7:25 AM, Kevin Wolf wrote:
> Am 15.07.2019 um 13:24 hat Alexander Popov geschrieben:
>> On 05.07.2019 17:07, Alexander Popov wrote:
>>> This assertion was introduced in the commit a718978ed58a in July 2015.
>>> It implies that the size of successful DMA transfers handled in
>>> ide_dma_cb() should be multiple of 512 (the size of a sector).
>>>
>>> But guest systems can initiate DMA transfers that don't fit this
>>> requirement. Let's improve the assertion to prevent qemu DoS from quests.
>>
>> Hello!
>>
>> Just a friendly ping.
>>
>> Could you have a look at this patch?
>
> John, I think this is for you.
>
> I haven't reviewed this yet, but if we put an assertion there that the
> request is aligned, we probably rely on this fact somewhere in the code.
> So I suspect that just changing the assertion without changing other
> code, too, might not be enough.
>
> Kevin
>
Right; I'm aware of the patch. It's on the list to investigate today.
I have the same concern that the assertion intuits a bug elsewhere, so I
wanted to give this one a thorough investigation before inclusion for rc1.
Sorry for the delay, it IS on my list, but I also feel that a privileged
DOS by a guest of a legacy device is actually low priority
security-wise, unless we can demonstrate that there are side effects
that can be exploited.
--js
next prev parent reply other threads:[~2019-07-16 14:58 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-05 14:07 [Qemu-devel] [QEMU-SECURITY] ide: fix assertion in ide_dma_cb() to prevent qemu DoS from quest Alexander Popov
2019-07-05 14:13 ` Alexander Popov
2019-07-15 11:24 ` Alexander Popov
2019-07-16 11:25 ` [Qemu-devel] [Qemu-block] " Kevin Wolf
2019-07-16 14:57 ` John Snow [this message]
2019-07-16 16:18 ` P J P
2019-07-26 0:25 ` [Qemu-devel] " John Snow
2019-07-26 21:09 ` Alexander Popov
2019-11-06 12:05 ` Michael S. Tsirkin
2019-11-06 22:05 ` Alexander Popov
2019-11-14 17:31 ` Alexander Popov
2019-11-06 10:17 ` Alexander Popov
2019-11-06 12:08 ` Michael S. Tsirkin
2019-11-06 22:01 ` Alexander Popov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52979901-15a7-ee2c-80d7-4cbbc99f461c@redhat.com \
--to=jsnow@redhat.com \
--cc=alex.popov@linux.com \
--cc=kwolf@redhat.com \
--cc=mdroth@linux.vnet.ibm.com \
--cc=mst@redhat.com \
--cc=pjp@redhat.com \
--cc=pmatouse@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
--cc=sstabellini@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.