lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 19 May 2017 12:33:13 +0200 From: Paolo Bonzini <pbonzini@...hat.com> To: Wanpeng Li <kernellwp@...il.com>, linux-kernel@...r.kernel.org, kvm@...r.kernel.org Cc: Radim Krčmář <rkrcmar@...hat.com>, Wanpeng Li <wanpeng.li@...mail.com>, Moguofang <moguofang@...wei.com> Subject: Re: [PATCH] KVM: X86: Fix read out-of-bounds vulnerability in kvm pio emulation On 19/05/2017 11:46, Wanpeng Li wrote: > From: Wanpeng Li <wanpeng.li@...mail.com> > > Huawei folks reported a read out-of-bounds vulnerability in kvm pio emulation. > > - "inb" instruction to access PIT Mod/Command register (ioport 0x43, write only, > a read should be ignored) in guest can get a random number. > - "rep insb" instruction to access PIT register port 0x43 can control memcpy() > in emulator_pio_in_emulated() to copy max 0x400 bytes but only read 1 bytes, > which will disclose the unimportant kernel memory in host but no crash. The data comes simply from the last PIO read, right? The vcpu struct is zero-initialized, so there is no kernel memory leak---the byte was already previously known to the guest. Good catch though, and the patch looks good. Thanks, Paolo > The similar test program below can reproduce the read out-of-bounds vulnerability:
Powered by blists - more mailing lists