[PATCH 0/1] CVE-2023-5088

qemu-block

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH 0/1] CVE-2023-5088

From:	Simon Rowe
Subject:	[PATCH 0/1] CVE-2023-5088
Date:	Thu, 21 Sep 2023 16:07:11 +0000

The attached patch fixes CVE-2023-5088 in which a bug in QEMU could
cause a guest I/O operation otherwise addressed to an arbitrary disk
offset to be targeted to offset 0 instead (potentially overwriting the
VM's boot code). This could be used, for example, by L2 guests with a
virtual disk (vdiskL2) stored on a virtual disk of an L1 (vdiskL1)
hypervisor to read and/or write data to LBA 0 of vdiskL1, potentially
gaining control of L1 at its next reboot.

The symptoms behind this bug have been previously reported as MBR
corruptions and an independent fix has been posted by Fiona Ebner in:

https://lists.gnu.org/archive/html/qemu-devel/2023-08/msg03883.html

Simon Rowe (1):
  hw/ide/core: terminate in-flight DMA on IDE bus reset

 hw/ide/core.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

-- 
2.22.3

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH 0/1] CVE-2023-5088, Simon Rowe <=
- [PATCH 1/1] hw/ide/core: terminate in-flight DMA on IDE bus reset, Simon Rowe, 2023/09/21
  - Re: [PATCH 1/1] hw/ide/core: terminate in-flight DMA on IDE bus reset, John Snow, 2023/09/25
    - Re: [PATCH 1/1] hw/ide/core: terminate in-flight DMA on IDE bus reset, Fiona Ebner, 2023/09/26
    - Re: [PATCH 1/1] hw/ide/core: terminate in-flight DMA on IDE bus reset, John Snow, 2023/09/26
    - Re: [PATCH 1/1] hw/ide/core: terminate in-flight DMA on IDE bus reset, Fiona Ebner, 2023/09/28

Prev by Date: [PATCH 1/1] hw/ide/core: terminate in-flight DMA on IDE bus reset
Next by Date: Re: [PATCH v3 0/2] qemu-img: map: implement support for compressed clusters
Previous by thread: [PATCH v3 0/7] Steps towards enabling -Wshadow=local
Next by thread: [PATCH 1/1] hw/ide/core: terminate in-flight DMA on IDE bus reset
Index(es):
- Date
- Thread