From: Gianni Tedesco <gianni@scaramanga.co.uk>
To: qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] [PATCH] Security house-cleaning
Date: Thu, 17 Jun 2004 16:07:20 +0100 [thread overview]
Message-ID: <1087484840.21569.108.camel@sherbert> (raw)
In-Reply-To: <20040617043838.GA1938@sentinelchicken.org>
[-- Attachment #1: Type: text/plain, Size: 1956 bytes --]
On Wed, 2004-06-16 at 21:38 -0700, Tim wrote:
> I have to say, the core QEMU code is quite clean, and I feel that much
> more confident in using it for honeypot projects later on. ;-) The
> biggest culprit in terms of potential overflows, was the slirp code.
> There were some disturbing instances where strings were being pulled
> directly from the command line and tossed into a fixed-length buffer
> with no checks. =-X I can't say that I understand at all how slirp
> works, so I don't know if it is exploitable.
Thats only worrisome from a security perspective if qemu was designed to
run SUID, which I doubt that it is... Of course it's a bug and needs
fixing though.
What would be more worrying is if there were overflows in the packet
processing allowing (possibly compromised) guest OS or remote machines
to take over qemu process by sending an exploit in a malformed packet.
The other possible vector I can think of is if there are exploits in
specific devices where you have things like audio processing going on
etc... Also when USB support exists, it could be possible to send
packets containing an overflow that could trip up a driver and execute
code, so that will need careful attention too.
Anyway, it's nice to see someone cares and is looking at the security of
qemu ;)
A quick note on the patch: where you are replacing strcpy() with
strncpy(), you are better to use snprintf(buf, sizeof(buf), "%s",
input); as that guarantees nul termination. It also allows you to easily
check if input was truncated, in some cases, silent truncation could be
a bug.
PS. Could you send README and patch as 2 attachments next time, dealing
with attachments, and archives is a PITA when u just want to skim a
patch :)
--
// Gianni Tedesco (gianni at scaramanga dot co dot uk)
lynx --source www.scaramanga.co.uk/scaramanga.asc | gpg --import
8646BE7D: 6D9F 2287 870E A2C9 8F60 3A3C 91B5 7669 8646 BE7D
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
next prev parent reply other threads:[~2004-06-17 15:08 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-06-17 4:38 [Qemu-devel] [PATCH] Security house-cleaning Tim
2004-06-17 15:07 ` Gianni Tedesco [this message]
2004-06-17 15:14 ` Renzo Davoli
2004-06-17 15:24 ` Panagiotis Issaris
2004-06-17 15:27 ` Sebastien Bechet
2004-06-17 16:37 ` Tim
2004-06-17 17:03 ` Sander Nagtegaal
2004-06-17 17:16 ` Gianni Tedesco
2004-06-17 19:59 ` Renzo Davoli
2004-06-17 16:05 ` Tim
2004-06-17 17:41 ` Gianni Tedesco
2004-06-18 4:13 ` Tim
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1087484840.21569.108.camel@sherbert \
--to=gianni@scaramanga.co.uk \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).