Message ID | 20211124161536.631563-1-philmd@redhat.com (mailing list archive) |
---|---|
Headers | show |
Series | hw/block/fdc: Fix CVE-2021-20196 | expand |
On Wed, Nov 24, 2021 at 11:15 AM Philippe Mathieu-Daudé <philmd@redhat.com> wrote: > Since v3: > - Preliminary extract blk_create_empty_drive() > - qtest checks qtest_check_clang_sanitizer() enabled > - qtest uses null-co:// driver instead of file > > Philippe Mathieu-Daudé (3): > hw/block/fdc: Extract blk_create_empty_drive() > hw/block/fdc: Kludge missing floppy drive to fix CVE-2021-20196 > tests/qtest/fdc-test: Add a regression test for CVE-2021-20196 > > hw/block/fdc.c | 23 ++++++++++++++++++++--- > tests/qtest/fdc-test.c | 38 ++++++++++++++++++++++++++++++++++++++ > 2 files changed, 58 insertions(+), 3 deletions(-) > > -- > 2.33.1 > > I'm testing this now. I'm going to take your word for it. If Hanna is fine with the block-layer components of the fix, I'll probably take it, but I will be sending a patch to remove myself as maintainer in the process, since I don't have the time to do the "proper fix" for these devices, and haven't for quite some time. --js
Am 24.11.2021 um 17:15 hat Philippe Mathieu-Daudé geschrieben: > Since v3: > - Preliminary extract blk_create_empty_drive() > - qtest checks qtest_check_clang_sanitizer() enabled > - qtest uses null-co:// driver instead of file > > Philippe Mathieu-Daudé (3): > hw/block/fdc: Extract blk_create_empty_drive() > hw/block/fdc: Kludge missing floppy drive to fix CVE-2021-20196 > tests/qtest/fdc-test: Add a regression test for CVE-2021-20196 If I may ask a meta question: No doubt that this is a bug and it's good that we fixed it, but why was it assigned a CVE? Any guest can legitimately shut down and we don't consider that a denial of service. This bug was essentially just another undocumented way for the guest kernel to shut down, as unprivileged users in the guest can't normally access the I/O ports of the floppy controller. I don't think we generally consider guests killing themselves a security problem as long as it requires kernel or root privileges in the guest. Kevin
On 12/10/21 14:42, Kevin Wolf wrote: > Am 24.11.2021 um 17:15 hat Philippe Mathieu-Daudé geschrieben: >> Since v3: >> - Preliminary extract blk_create_empty_drive() >> - qtest checks qtest_check_clang_sanitizer() enabled >> - qtest uses null-co:// driver instead of file >> >> Philippe Mathieu-Daudé (3): >> hw/block/fdc: Extract blk_create_empty_drive() >> hw/block/fdc: Kludge missing floppy drive to fix CVE-2021-20196 >> tests/qtest/fdc-test: Add a regression test for CVE-2021-20196 > > If I may ask a meta question: No doubt that this is a bug and it's good > that we fixed it, but why was it assigned a CVE? No clue, I suppose this is audited and handled by qemu-security@ team members. Cc'ing them. > Any guest can legitimately shut down and we don't consider that a denial > of service. This bug was essentially just another undocumented way for > the guest kernel to shut down, as unprivileged users in the guest can't > normally access the I/O ports of the floppy controller. I don't think we > generally consider guests killing themselves a security problem as long > as it requires kernel or root privileges in the guest. Agreed.