Information leak in IDE core
Bug #786209 reported by
Nelson Elhage
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| QEMU |
Fix Released
|
Undecided
|
Unassigned | ||
Bug Description
When the DRQ_STAT bit is set, the IDE core permits both data reads and data writes, regardless of whether the current transfer was initiated as a read or write.
Furthermore, the IO buffer is allocated via a qemu_memalign but not initialized or cleared at device creation.
This potentially leaks uninitialized host memory into the guest, if, before doing anything else to an IDE device, the guest begins a write transaction (e.g. WIN_WRITE), but then *reads* from the IO port instead of writing to it. The IDE core will happily return the uninitialized contents of the buffer to the guest, potentially leaking offsets that could be used as part of an attack to get around ASLR.
| visibility: | private → public |
Revision history for this message
| Qiao Liyong (qiaoly) wrote | #1 |
Revision history for this message
| Thomas Huth (th-huth) wrote | #2 |
| Changed in qemu: | |
| status: | New → Fix Released |
To post a comment you must log in.
hi Nelson :
what 's the flag 'DRQ_STAT' mean for HD_STATUS ?