From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1N50F0-0002Tk-Ft
	for qemu-devel@nongnu.org; Mon, 02 Nov 2009 11:58:50 -0500
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1N50Ey-0002T0-BN
	for qemu-devel@nongnu.org; Mon, 02 Nov 2009 11:58:49 -0500
Received: from [199.232.76.173] (port=46709 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1N50Ex-0002Sv-TZ
	for qemu-devel@nongnu.org; Mon, 02 Nov 2009 11:58:47 -0500
Received: from fg-out-1718.google.com ([72.14.220.156]:38444)
	by monty-python.gnu.org with esmtp (Exim 4.60)
	(envelope-from <dustin.kirkland@gmail.com>) id 1N50Ex-00029f-F0
	for qemu-devel@nongnu.org; Mon, 02 Nov 2009 11:58:47 -0500
Received: by fg-out-1718.google.com with SMTP id d23so1154927fga.10
	for <qemu-devel@nongnu.org>; Mon, 02 Nov 2009 08:58:45 -0800 (PST)
MIME-Version: 1.0
Sender: dustin.kirkland@gmail.com
In-Reply-To: <1257172722.5075.7.camel@blaa>
References: <d9c105ea0910281222u76a61a2by3cc924e85d40a865@mail.gmail.com>
	<1256815818-sup-7805@xpc65.scottt> <1256818566.10825.58.camel@blaa>
	<4AE9A299.5060003@codemonkey.ws> <1256826351.10825.69.camel@blaa>
	<4AE9A90F.1060108@codemonkey.ws> <1256827719.10825.75.camel@blaa>
	<1256830455.25064.155.camel@x200>
	<d9c105ea0910301415n74efc9f2i3f8b2646217f44cb@mail.gmail.com>
	<1257172722.5075.7.camel@blaa>
Date: Mon, 2 Nov 2009 10:58:44 -0600
Message-ID: <d9c105ea0911020858l4ffdc622sc7b7428f6997bf30@mail.gmail.com>
From: Dustin Kirkland <kirkland@canonical.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Subject: [Qemu-devel] Re: [PATCH] whitelist host virtio networking features
	[was Re: qemu-kvm-0.11 regression, crashes on older ...]
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Mark McLoughlin <markmc@redhat.com>
Cc: Scott Tsai <scottt.tw@gmail.com>, kvm <kvm@vger.kernel.org>, Rusty Russell <rusty@rustcorp.com.au>, qemu-devel <qemu-devel@nongnu.org>, jdstrand@canonical.com, Marc Deslauriers <marc.deslauriers@canonical.com>, kees.cook@canonical.com

On Mon, Nov 2, 2009 at 8:38 AM, Mark McLoughlin <markmc@redhat.com> wrote:
> On Fri, 2009-10-30 at 16:15 -0500, Dustin Kirkland wrote:
>> Canonical's Ubuntu Security Team will be filing a CVE on this issue,
>> since there is a bit of an attack vector here, and since
>> qemu-kvm-0.11.0 is generally available as an official release (and now
>> part of Ubuntu 9.10).
>>
>> Guests running linux <=3D 2.6.25 virtio-net (e.g Ubuntu 8.04 hardy) on
>> top of qemu-kvm-0.11.0 can be remotely crashed by a non-privileged
>> network user flooding an open port on the guest. =A0The crash happens in
>> a manner that abruptly terminates the guest's execution (ie, without
>> shutting down cleanly). =A0This may affect the guest filesystem's
>> general happiness.
>
> IMHO, the CVE should be against the 2.6.25 virtio drivers - the bug is
> in the guest and the issue we're discussing here is just a hacky
> workaround for the guest bug.

Kees/Jamie/Marc-

I think Mark has a good point.  This bug has two parts.  Ultimately,
it's triggered by a buggy virtio-net implementation in the Ubuntu 8.04
kernel (as well as any others using the circa 2.6.25 virtio net code).
 The CVE should probably mention (or focus on) this too.

The qemu-kvm patch is still a good thing to do, as it shouldn't just
exit and terminate the VM, so that's needed as well.

:-Dustin