From: John Snow <jsnow@redhat.com>
To: Kevin Wolf <kwolf@redhat.com>, Alexander Popov <alex.popov@linux.com>
Cc: sstabellini@kernel.org, pmatouse@redhat.com,
mdroth@linux.vnet.ibm.com, qemu-block@nongnu.org, mst@redhat.com,
qemu-devel@nongnu.org, qemu-stable@nongnu.org, pjp@redhat.com
Subject: Re: [Qemu-devel] [Qemu-block] [QEMU-SECURITY] ide: fix assertion in ide_dma_cb() to prevent qemu DoS from quest
Date: Tue, 16 Jul 2019 10:57:14 -0400 [thread overview]
Message-ID: <52979901-15a7-ee2c-80d7-4cbbc99f461c@redhat.com> (raw)
In-Reply-To: <20190716112535.GB7297@linux.fritz.box>
On 7/16/19 7:25 AM, Kevin Wolf wrote:
> Am 15.07.2019 um 13:24 hat Alexander Popov geschrieben:
>> On 05.07.2019 17:07, Alexander Popov wrote:
>>> This assertion was introduced in the commit a718978ed58a in July 2015.
>>> It implies that the size of successful DMA transfers handled in
>>> ide_dma_cb() should be multiple of 512 (the size of a sector).
>>>
>>> But guest systems can initiate DMA transfers that don't fit this
>>> requirement. Let's improve the assertion to prevent qemu DoS from quests.
>>
>> Hello!
>>
>> Just a friendly ping.
>>
>> Could you have a look at this patch?
>
> John, I think this is for you.
>
> I haven't reviewed this yet, but if we put an assertion there that the
> request is aligned, we probably rely on this fact somewhere in the code.
> So I suspect that just changing the assertion without changing other
> code, too, might not be enough.
>
> Kevin
>
Right; I'm aware of the patch. It's on the list to investigate today.
I have the same concern that the assertion intuits a bug elsewhere, so I
wanted to give this one a thorough investigation before inclusion for rc1.
Sorry for the delay, it IS on my list, but I also feel that a privileged
DOS by a guest of a legacy device is actually low priority
security-wise, unless we can demonstrate that there are side effects
that can be exploited.
--js
next prev parent reply other threads:[~2019-07-16 14:58 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-05 14:07 [Qemu-devel] [QEMU-SECURITY] ide: fix assertion in ide_dma_cb() to prevent qemu DoS from quest Alexander Popov
2019-07-05 14:13 ` Alexander Popov
2019-07-15 11:24 ` Alexander Popov
2019-07-16 11:25 ` [Qemu-devel] [Qemu-block] " Kevin Wolf
2019-07-16 14:57 ` John Snow [this message]
2019-07-16 16:18 ` P J P
2019-07-26 0:25 ` [Qemu-devel] " John Snow
2019-07-26 21:09 ` Alexander Popov
2019-11-06 12:05 ` Michael S. Tsirkin
2019-11-06 22:05 ` Alexander Popov
2019-11-14 17:31 ` Alexander Popov
2019-11-06 10:17 ` Alexander Popov
2019-11-06 12:08 ` Michael S. Tsirkin
2019-11-06 22:01 ` Alexander Popov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52979901-15a7-ee2c-80d7-4cbbc99f461c@redhat.com \
--to=jsnow@redhat.com \
--cc=alex.popov@linux.com \
--cc=kwolf@redhat.com \
--cc=mdroth@linux.vnet.ibm.com \
--cc=mst@redhat.com \
--cc=pjp@redhat.com \
--cc=pmatouse@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
--cc=sstabellini@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).