Re: Re: CVE request Qemu: malicious PRDT flow from guest to host

[P J P <ppandit () redhat com>]

   Hello,

+-- On Mon, 20 Apr 2015, cve-assign () mitre org wrote --+
| are, that would be helpful. First, we think you mean that there is a
| security impact (not necessarily the same security impact) in both the
| BMDMA case and the AHCI case: is that correct?

  Yes, that's correct.

| Possibility 1:
| 
|   1A: one CVE ID for the use of "return s->io_buffer_size != 0" - this
|       made it impossible for other parts of the code to distinguish
|       between the "0 bytes" case and the "0 complete sectors" case,
|       and caused both impacts: "leaked memory for short PRDTs" and
|       "infinite loops and resource usage"
| 
|   1B: one CVE ID for lack of the 2 GiB limit checking
| 
| Possibility 2:
| 
|   One CVE ID only for item 1A above. 1B has no security impact (e.g.,
|   because it only allows the guest to conduct a DoS attack against
|   itself with a large transfer attempt, or for some other reason)

  IMO, possibility #2 is apt. It covers both the issues affecting BMDMA & 
AHCI.

Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F