Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 21 Apr 2015 13:35:13 +0530 (IST)
From: P J P <>
To: oss security list <>
Subject: Re: Re: CVE request Qemu: malicious PRDT flow from
 guest to host


+-- On Mon, 20 Apr 2015, wrote --+
| are, that would be helpful. First, we think you mean that there is a
| security impact (not necessarily the same security impact) in both the
| BMDMA case and the AHCI case: is that correct?

  Yes, that's correct.

| Possibility 1:
|   1A: one CVE ID for the use of "return s->io_buffer_size != 0" - this
|       made it impossible for other parts of the code to distinguish
|       between the "0 bytes" case and the "0 complete sectors" case,
|       and caused both impacts: "leaked memory for short PRDTs" and
|       "infinite loops and resource usage"
|   1B: one CVE ID for lack of the 2 GiB limit checking
| Possibility 2:
|   One CVE ID only for item 1A above. 1B has no security impact (e.g.,
|   because it only allows the guest to conduct a DoS attack against
|   itself with a large transfer attempt, or for some other reason)

  IMO, possibility #2 is apt. It covers both the issues affecting BMDMA & 

Thank you.
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.