On 20 March 2017 at 14:36, Jann Horn <ja...@google.com> wrote: > This is an issue in QEMU's system emulation for X86 in TCG mode. > The issue permits an attacker who can execute code in guest ring 3 > with normal user privileges to inject code into other processes that > are running in guest ring 3, in particular root-owned processes.
> I am sending this to qemu-devel because a QEMU security contact > told me that QEMU does not consider privilege escalation inside a > TCG VM to be a security concern. Correct; it's just a bug. Don't trust TCG QEMU as a security boundary. We should really fix the crossing-a-page-boundary code for x86. I believe we do get it correct for ARM Thumb instructions. thanks -- PMM
