From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.33) id 1BayVT-0007Lm-U6 for qemu-devel@nongnu.org; Thu, 17 Jun 2004 11:08:48 -0400 Received: from exim by lists.gnu.org with spam-scanned (Exim 4.33) id 1BayVT-0007La-94 for qemu-devel@nongnu.org; Thu, 17 Jun 2004 11:08:47 -0400 Received: from [199.232.76.173] (helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.33) id 1BayVT-0007LX-3y for qemu-devel@nongnu.org; Thu, 17 Jun 2004 11:08:47 -0400 Received: from [213.146.130.142] (helo=trantor.org.uk) by monty-python.gnu.org with esmtp (TLSv1:DES-CBC3-SHA:168) (Exim 4.34) id 1BayUK-0005dL-Ak for qemu-devel@nongnu.org; Thu, 17 Jun 2004 11:07:36 -0400 Subject: Re: [Qemu-devel] [PATCH] Security house-cleaning From: Gianni Tedesco In-Reply-To: <20040617043838.GA1938@sentinelchicken.org> References: <20040617043838.GA1938@sentinelchicken.org> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-dLmMohjLylD49U3YRzDQ" Date: Thu, 17 Jun 2004 16:07:20 +0100 Message-Id: <1087484840.21569.108.camel@sherbert> Mime-Version: 1.0 Reply-To: qemu-devel@nongnu.org List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org --=-dLmMohjLylD49U3YRzDQ Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Wed, 2004-06-16 at 21:38 -0700, Tim wrote: > I have to say, the core QEMU code is quite clean, and I feel that much > more confident in using it for honeypot projects later on. ;-) The > biggest culprit in terms of potential overflows, was the slirp code. > There were some disturbing instances where strings were being pulled > directly from the command line and tossed into a fixed-length buffer > with no checks. =3D-X I can't say that I understand at all how slirp > works, so I don't know if it is exploitable. Thats only worrisome from a security perspective if qemu was designed to run SUID, which I doubt that it is... Of course it's a bug and needs fixing though. What would be more worrying is if there were overflows in the packet processing allowing (possibly compromised) guest OS or remote machines to take over qemu process by sending an exploit in a malformed packet. The other possible vector I can think of is if there are exploits in specific devices where you have things like audio processing going on etc... Also when USB support exists, it could be possible to send packets containing an overflow that could trip up a driver and execute code, so that will need careful attention too. Anyway, it's nice to see someone cares and is looking at the security of qemu ;) A quick note on the patch: where you are replacing strcpy() with strncpy(), you are better to use snprintf(buf, sizeof(buf), "%s", input); as that guarantees nul termination. It also allows you to easily check if input was truncated, in some cases, silent truncation could be a bug. PS. Could you send README and patch as 2 attachments next time, dealing with attachments, and archives is a PITA when u just want to skim a patch :) --=20 // Gianni Tedesco (gianni at scaramanga dot co dot uk) lynx --source www.scaramanga.co.uk/scaramanga.asc | gpg --import 8646BE7D: 6D9F 2287 870E A2C9 8F60 3A3C 91B5 7669 8646 BE7D --=-dLmMohjLylD49U3YRzDQ Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQBA0bOokbV2aYZGvn0RAm8mAKCFOcmaKbwg62Bbuxj5OSs97cySZwCdFFm5 eBj4WaNgHw/qqk3YtOMZq/s= =Z9lu -----END PGP SIGNATURE----- --=-dLmMohjLylD49U3YRzDQ--