[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [BUG] user-to-root privesc inside VM via bad translatio
From: |
Pranith Kumar |
Subject: |
Re: [Qemu-devel] [BUG] user-to-root privesc inside VM via bad translation caching |
Date: |
Wed, 22 Mar 2017 10:55:23 -0400 |
On Mon, Mar 20, 2017 at 10:46 AM, Peter Maydell wrote:
> On 20 March 2017 at 14:36, Jann Horn <address@hidden> wrote:
>> This is an issue in QEMU's system emulation for X86 in TCG mode.
>> The issue permits an attacker who can execute code in guest ring 3
>> with normal user privileges to inject code into other processes that
>> are running in guest ring 3, in particular root-owned processes.
>
>> I am sending this to qemu-devel because a QEMU security contact
>> told me that QEMU does not consider privilege escalation inside a
>> TCG VM to be a security concern.
>
> Correct; it's just a bug. Don't trust TCG QEMU as a security boundary.
>
> We should really fix the crossing-a-page-boundary code for x86.
> I believe we do get it correct for ARM Thumb instructions.
How about doing the instruction size check as follows?
diff --git a/target/i386/translate.c b/target/i386/translate.c
index 72c1b03a2a..94cf3da719 100644
--- a/target/i386/translate.c
+++ b/target/i386/translate.c
@@ -8235,6 +8235,10 @@ static target_ulong disas_insn(CPUX86State
*env, DisasContext *s,
default:
goto unknown_op;
}
+ if (s->pc - pc_start > 15) {
+ s->pc = pc_start;
+ goto illegal_op;
+ }
return s->pc;
illegal_op:
gen_illegal_opcode(s);
Thanks,
--
Pranith
- [Qemu-devel] [BUG] user-to-root privesc inside VM via bad translation caching, Jann Horn, 2017/03/20
- Re: [Qemu-devel] [BUG] user-to-root privesc inside VM via bad translation caching, Peter Maydell, 2017/03/20
- Re: [Qemu-devel] [BUG] user-to-root privesc inside VM via bad translation caching,
Pranith Kumar <=
- Re: [Qemu-devel] [BUG] user-to-root privesc inside VM via bad translation caching, Peter Maydell, 2017/03/22
- Re: [Qemu-devel] [BUG] user-to-root privesc inside VM via bad translation caching, Pranith Kumar, 2017/03/22
- Re: [Qemu-devel] [BUG] user-to-root privesc inside VM via bad translation caching, Peter Maydell, 2017/03/22
- Re: [Qemu-devel] [BUG] user-to-root privesc inside VM via bad translation caching, Pranith Kumar, 2017/03/22
- Re: [Qemu-devel] [BUG] user-to-root privesc inside VM via bad translation caching, Richard Henderson, 2017/03/22
- Re: [Qemu-devel] [BUG] user-to-root privesc inside VM via bad translation caching, Paolo Bonzini, 2017/03/23
- Re: [Qemu-devel] [BUG] user-to-root privesc inside VM via bad translation caching, Pranith Kumar, 2017/03/23
- Re: [Qemu-devel] [BUG] user-to-root privesc inside VM via bad translation caching, Paolo Bonzini, 2017/03/23
- Re: [Qemu-devel] [BUG] user-to-root privesc inside VM via bad translation caching, Pranith Kumar, 2017/03/23