From: Alex Williamson <alex.williamson@redhat.com>
To: Peter Maydell <peter.maydell@linaro.org>
Cc: "Michael S. Tsirkin" <mst@redhat.com>,
"QEMU Developers" <qemu-devel@nongnu.org>,
"Prasad J Pandit" <ppandit@redhat.com>,
"Gerd Hoffmann" <kraxel@redhat.com>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Philippe Mathieu-Daudé" <philmd@redhat.com>
Subject: Re: [Qemu-devel] [PATCH 0/1] display/bochs: fix pcie support (qemu security issue)
Date: Mon, 12 Aug 2019 09:35:10 -0600 [thread overview]
Message-ID: <20190812093510.1b85cac8@x1.home> (raw)
In-Reply-To: <CAFEAcA-3bFuy2DDG8=-_Y3JO4HWpCW80EcsGWWN8toxiMpafBA@mail.gmail.com>
On Mon, 12 Aug 2019 14:39:53 +0100
Peter Maydell <peter.maydell@linaro.org> wrote:
> On Mon, 12 Aug 2019 at 13:51, Philippe Mathieu-Daudé <philmd@redhat.com> wrote:
> >
> > On 8/12/19 2:45 PM, Paolo Bonzini wrote:
> > > On 12/08/19 08:52, Gerd Hoffmann wrote:
> > >> Just found while investigating
> > >> https://bugzilla.redhat.com/show_bug.cgi?id=1707118
> > >>
> > >> Found PCIe extended config space filled with random crap due to
> > >> allocation being too small (conventional pci config space only).
> > >>
> >
> > Can you amend this information to the commit description?
> >
> > <...
> >
> > >> PCI(e) config space is guest writable. Writes are limited by
> > >> write mask (which probably is also filled with random stuff),
> > >
> > > Yes, it is also allocated with 256 bytes only.
> > >
> > >> so the guest can only flip enabled bits. But I suspect it
> > >> still might be exploitable, so rather serious because it might
> > >> be a host escape for the guest. On the other hand the device
> > >> is probably not yet in widespread use.
> >
> > ...>
>
> I can add to the commit this paragraph of the cover letter,
> and I think also the 'mitigation' note might as well go in.
>
> I've also put the cc:stable into the commit message.
>
> Updated commit, ready to apply to master if we're OK with it:
>
> https://git.linaro.org/people/peter.maydell/qemu-arm.git/commit/?h=staging&id=c075b5f318a8be628ab8edf93be33f5a93a4aacd
Quoting new commit log:
This makes sure the pci config space allocation is big enough,
so accessing the PCIe extended config space doesn't overflow
the pci config space buffer.
PCI(e) config space is guest writable. Writes are limited
bywrite mask (which probably is also filled with random stuff),
so the guest can only flip enabled bits. But I suspect it
still might be exploitable, so rather serious because it might
be a host escape for the guest. On the other hand the device
is probably not yet in widespread use.
Mitigation: use "-device bochs-display" as conventional pci
device only.
Is it clear to others that this mitigation remark seems to be
referencing an alternative configuration constraint to avoid the issue
rather than what's actually implemented in this patch? IOW, if we
never place the bochs-display device into a PCIe hierarchy, then
extended config space is never accessible to the guest anyway, and
there is no issue. I think this was meant to be an alternative to the
patch but the enforcement of that would happen above QEMU, probably why
it was mentioned in the cover letter rather than the original commit
log. Thanks,
Alex
next prev parent reply other threads:[~2019-08-12 15:35 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-12 6:52 [Qemu-devel] [PATCH 0/1] display/bochs: fix pcie support (qemu security issue) Gerd Hoffmann
2019-08-12 6:52 ` [Qemu-devel] [PATCH 1/1] display/bochs: fix pcie support Gerd Hoffmann
2019-08-12 12:59 ` Alex Williamson
2019-08-12 12:45 ` [Qemu-devel] [PATCH 0/1] display/bochs: fix pcie support (qemu security issue) Paolo Bonzini
2019-08-12 12:51 ` Philippe Mathieu-Daudé
2019-08-12 13:39 ` Peter Maydell
2019-08-12 14:15 ` Philippe Mathieu-Daudé
2019-08-12 15:35 ` Alex Williamson [this message]
2019-08-12 15:38 ` Peter Maydell
2019-08-12 15:48 ` Alex Williamson
2019-08-12 16:34 ` Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190812093510.1b85cac8@x1.home \
--to=alex.williamson@redhat.com \
--cc=kraxel@redhat.com \
--cc=mst@redhat.com \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=philmd@redhat.com \
--cc=ppandit@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).