Am 26.09.23 um 16:45 schrieb John Snow: > > > On Tue, Sep 26, 2023, 3:11 AM Fiona Ebner <f.eb...@proxmox.com > <mailto:f.eb...@proxmox.com>> wrote: > > Am 25.09.23 um 21:53 schrieb John Snow: > > On Thu, Sep 21, 2023 at 12:07 PM Simon Rowe > <simon.r...@nutanix.com <mailto:simon.r...@nutanix.com>> wrote: > >> > >> When an IDE controller is reset, its internal state is being cleared > >> before any outstanding I/O is cancelled. If a response to DMA is > >> received in this window, the aio callback will incorrectly continue > >> with the next part of the transfer (now using sector 0 from > >> the cleared controller state). > > > > Eugh, yikes. It feels like we should fix the cancellation ... > Please note that there already is a patch for that on the list: > https://lists.nongnu.org/archive/html/qemu-devel/2023-09/msg01011.html > <https://lists.nongnu.org/archive/html/qemu-devel/2023-09/msg01011.html> > > Best Regards, > Fiona > > > Gotcha, thanks for the pointer. I wonder if that's sufficient to fix the > CVE here? I don't have the reproducer in my hands (that I know of ... > it's genuinely possible I missed it, apologies) >
AFAICT, yes, because the DMA callback is invoked before resetting the state now. But not 100% sure if it can't be triggered in some other way, maybe Simon knows more? I don't have a reproducer for the CVE either, but the second patch after the one linked above adds a qtest for the reset scenario. Best Regards, Fiona