Information leak in IDE core

Bug #786209 reported by Nelson Elhage
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
QEMU
Fix Released
Undecided
Unassigned

Bug Description

When the DRQ_STAT bit is set, the IDE core permits both data reads and data writes, regardless of whether the current transfer was initiated as a read or write.

Furthermore, the IO buffer is allocated via a qemu_memalign but not initialized or cleared at device creation.

This potentially leaks uninitialized host memory into the guest, if, before doing anything else to an IDE device, the guest begins a write transaction (e.g. WIN_WRITE), but then *reads* from the IO port instead of writing to it. The IDE core will happily return the uninitialized contents of the buffer to the guest, potentially leaking offsets that could be used as part of an attack to get around ASLR.

Nelson Elhage (nelhage)
visibility: private → public
Revision history for this message
Qiao Liyong (qiaoly) wrote :

hi Nelson :

    what 's the flag 'DRQ_STAT' mean for HD_STATUS ?

Revision history for this message
Thomas Huth (th-huth) wrote :
Changed in qemu:
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.