Re: [Qemu-devel] [PATCH 0/1] display/bochs: fix pcie support (qemu security issue)

[Alex Williamson <alex.williamson@redhat.com>]

On Mon, 12 Aug 2019 16:38:05 +0100
Peter Maydell <peter.maydell@linaro.org> wrote:

> On Mon, 12 Aug 2019 at 16:35, Alex Williamson
> <alex.williamson@redhat.com> wrote:
> > Quoting new commit log:
> >
> >         This makes sure the pci config space allocation is big enough,
> >         so accessing the PCIe extended config space doesn't overflow
> >         the pci config space buffer.
> >
> >         PCI(e) config space is guest writable.  Writes are limited
> >         bywrite mask (which probably is also filled with random stuff),
> >         so the guest can only flip enabled bits.  But I suspect it
> >         still might be exploitable, so rather serious because it might
> >         be a host escape for the guest.  On the other hand the device
> >         is probably not yet in widespread use.
> >
> >         Mitigation: use "-device bochs-display" as conventional pci
> >         device only.
> >
> > Is it clear to others that this mitigation remark seems to be
> > referencing an alternative configuration constraint to avoid the issue
> > rather than what's actually implemented in this patch?  IOW, if we
> > never place the bochs-display device into a PCIe hierarchy, then
> > extended config space is never accessible to the guest anyway, and
> > there is no issue.  I think this was meant to be an alternative to the
> > patch but the enforcement of that would happen above QEMU, probably why
> > it was mentioned in the cover letter rather than the original commit
> > log.  Thanks,  
> 
> Yeah, that's unclear in retrospect. How about:
> 
> # (For a QEMU version without this commit, a mitigation for the
> # bug is available: use "-device bochs-display" as a conventional pci
> # device only.)

Yes, better.  Thanks,

Alex