On Mon, 12 Aug 2019 at 16:35, Alex Williamson <alex.william...@redhat.com> wrote: > Quoting new commit log: > > This makes sure the pci config space allocation is big enough, > so accessing the PCIe extended config space doesn't overflow > the pci config space buffer. > > PCI(e) config space is guest writable. Writes are limited > bywrite mask (which probably is also filled with random stuff), > so the guest can only flip enabled bits. But I suspect it > still might be exploitable, so rather serious because it might > be a host escape for the guest. On the other hand the device > is probably not yet in widespread use. > > Mitigation: use "-device bochs-display" as conventional pci > device only. > > Is it clear to others that this mitigation remark seems to be > referencing an alternative configuration constraint to avoid the issue > rather than what's actually implemented in this patch? IOW, if we > never place the bochs-display device into a PCIe hierarchy, then > extended config space is never accessible to the guest anyway, and > there is no issue. I think this was meant to be an alternative to the > patch but the enforcement of that would happen above QEMU, probably why > it was mentioned in the cover letter rather than the original commit > log. Thanks,
Yeah, that's unclear in retrospect. How about: # (For a QEMU version without this commit, a mitigation for the # bug is available: use "-device bochs-display" as a conventional pci # device only.) ? thanks -- PMM