oss-sec mailing list archives
Re: Re: CVE request Qemu: malicious PRDT flow from guest to host
From: P J P <ppandit () redhat com>
Date: Tue, 21 Apr 2015 13:35:13 +0530 (IST)
Hello, +-- On Mon, 20 Apr 2015, cve-assign () mitre org wrote --+ | are, that would be helpful. First, we think you mean that there is a | security impact (not necessarily the same security impact) in both the | BMDMA case and the AHCI case: is that correct? Yes, that's correct. | Possibility 1: | | 1A: one CVE ID for the use of "return s->io_buffer_size != 0" - this | made it impossible for other parts of the code to distinguish | between the "0 bytes" case and the "0 complete sectors" case, | and caused both impacts: "leaked memory for short PRDTs" and | "infinite loops and resource usage" | | 1B: one CVE ID for lack of the 2 GiB limit checking | | Possibility 2: | | One CVE ID only for item 1A above. 1B has no security impact (e.g., | because it only allows the guest to conduct a DoS attack against | itself with a large transfer attempt, or for some other reason) IMO, possibility #2 is apt. It covers both the issues affecting BMDMA & AHCI. Thank you. -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
Current thread:
- Re: CVE request Qemu: malicious PRDT flow from guest to host P J P (Apr 20)
- <Possible follow-ups>
- Re: CVE request Qemu: malicious PRDT flow from guest to host cve-assign (Apr 20)
- Re: Re: CVE request Qemu: malicious PRDT flow from guest to host P J P (Apr 21)
- Re: CVE request Qemu: malicious PRDT flow from guest to host cve-assign (Apr 21)
- Re: Re: CVE request Qemu: malicious PRDT flow from guest to host P J P (Apr 21)