Date: Tue, 21 Apr 2015 13:35:13 +0530 (IST) From: P J P <ppandit@...hat.com> To: oss security list <oss-security@...ts.openwall.com> cc: cve-assign@...re.org Subject: Re: Re: CVE request Qemu: malicious PRDT flow from guest to host Hello, +-- On Mon, 20 Apr 2015, cve-assign@...re.org wrote --+ | are, that would be helpful. First, we think you mean that there is a | security impact (not necessarily the same security impact) in both the | BMDMA case and the AHCI case: is that correct? Yes, that's correct. | Possibility 1: | | 1A: one CVE ID for the use of "return s->io_buffer_size != 0" - this | made it impossible for other parts of the code to distinguish | between the "0 bytes" case and the "0 complete sectors" case, | and caused both impacts: "leaked memory for short PRDTs" and | "infinite loops and resource usage" | | 1B: one CVE ID for lack of the 2 GiB limit checking | | Possibility 2: | | One CVE ID only for item 1A above. 1B has no security impact (e.g., | because it only allows the guest to conduct a DoS attack against | itself with a large transfer attempt, or for some other reason) IMO, possibility #2 is apt. It covers both the issues affecting BMDMA & AHCI. Thank you. -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ