Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 21 Apr 2015 13:35:13 +0530 (IST)
From: P J P <ppandit@...hat.com>
To: oss security list <oss-security@...ts.openwall.com>
cc: cve-assign@...re.org
Subject: Re: Re: CVE request Qemu: malicious PRDT flow from
 guest to host

   Hello,

+-- On Mon, 20 Apr 2015, cve-assign@...re.org wrote --+
| are, that would be helpful. First, we think you mean that there is a
| security impact (not necessarily the same security impact) in both the
| BMDMA case and the AHCI case: is that correct?

  Yes, that's correct.

| Possibility 1:
| 
|   1A: one CVE ID for the use of "return s->io_buffer_size != 0" - this
|       made it impossible for other parts of the code to distinguish
|       between the "0 bytes" case and the "0 complete sectors" case,
|       and caused both impacts: "leaked memory for short PRDTs" and
|       "infinite loops and resource usage"
| 
|   1B: one CVE ID for lack of the 2 GiB limit checking
| 
| Possibility 2:
| 
|   One CVE ID only for item 1A above. 1B has no security impact (e.g.,
|   because it only allows the guest to conduct a DoS attack against
|   itself with a large transfer attempt, or for some other reason)

  IMO, possibility #2 is apt. It covers both the issues affecting BMDMA & 
AHCI.

Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ