From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1LaHGa-0004aZ-FP
	for qemu-devel@nongnu.org; Thu, 19 Feb 2009 17:21:12 -0500
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1LaHGZ-0004aI-6g
	for qemu-devel@nongnu.org; Thu, 19 Feb 2009 17:21:11 -0500
Received: from [199.232.76.173] (port=42972 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1LaHGY-0004aF-VL
	for qemu-devel@nongnu.org; Thu, 19 Feb 2009 17:21:10 -0500
Received: from hall.aurel32.net ([88.191.82.174]:43616)
	by monty-python.gnu.org with esmtps (TLS-1.0:RSA_AES_256_CBC_SHA1:32)
	(Exim 4.60) (envelope-from <aurelien@aurel32.net>)
	id 1LaHGY-0003dl-My
	for qemu-devel@nongnu.org; Thu, 19 Feb 2009 17:21:10 -0500
Date: Thu, 19 Feb 2009 23:21:05 +0100
From: Aurelien Jarno <aurelien@aurel32.net>
Subject: Re: [Qemu-devel] [PATCH 4/4] Fix CVE-2008-0928 - insufficient
	block device address range checking
Message-ID: <20090219222105.GD27283@hall.aurel32.net>
References: <1235078376-25559-1-git-send-email-ehabkost@redhat.com>
	<1235078376-25559-5-git-send-email-ehabkost@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-15
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <1235078376-25559-5-git-send-email-ehabkost@redhat.com>
Sender: Aurelien Jarno <aurelien@aurel32.net>
Reply-To: qemu-devel@nongnu.org
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org

On Thu, Feb 19, 2009 at 06:19:36PM -0300, Eduardo Habkost wrote:
> From: Aurelien Jarno <aurel32>
> 
> This is based on an old patch commited by Aurelien Jarno whose commit
> message was:
> 
>   Fix CVE-2008-0928 - insufficient block device address range checking
> 
>   Qemu 0.9.1 and earlier does not perform range checks for block device
>   read or write requests, which allows guest host users with root
>   privileges to access arbitrary memory and escape the virtual machine.
> 
> In addition to the changes done by the previous patch, this patch changes
> total_sectors to total_bytes, so that the range checking works for
> backing devices that are not sector-based (for example, when block-qcow
> is reading the backing file). This was done to avoid bugs such as:
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=485148
> 

I don't think it addresses comments from Fabrice Bellard [1], that was
the primarily reason why this patch has been reverted [2]. He asked
that the tests are done in block-{qcow,qcow2,vmdk}.c.

[1] http://lists.gnu.org/archive/html/qemu-devel/2008-03/msg00128.html
[2] http://lists.gnu.org/archive/html/qemu-devel/2008-03/msg00132.html

-- 
Aurelien Jarno	                        GPG: 1024D/F1BCDB73
aurelien@aurel32.net                 http://www.aurel32.net