[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] [Bug 786209] Re: Information leak in IDE core

From: T. Huth
Subject: [Qemu-devel] [Bug 786209] Re: Information leak in IDE core
Date: Thu, 23 Jun 2016 08:42:19 -0000

Fixed here:

** Changed in: qemu
       Status: New => Fix Released

You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.

  Information leak in IDE core

Status in QEMU:
  Fix Released

Bug description:
  When the DRQ_STAT bit is set, the IDE core permits both data reads and
  data writes, regardless of whether the current transfer was initiated
  as a read or write.

  Furthermore, the IO buffer is allocated via a qemu_memalign but not
  initialized or cleared at device creation.

  This potentially leaks uninitialized host memory into the guest, if,
  before doing anything else to an IDE device, the guest begins a write
  transaction (e.g. WIN_WRITE), but then *reads* from the IO port
  instead of writing to it. The IDE core will happily return the
  uninitialized contents of the buffer to the guest, potentially leaking
  offsets that could be used as part of an attack to get around ASLR.

To manage notifications about this bug go to:

reply via email to

[Prev in Thread] Current Thread [Next in Thread]