CVE-2023-5088 | Patchew

[PATCH 0/1] CVE-2023-5088

Simon Rowe posted 1 patch 7 months, 2 weeks ago

Download series mbox

Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/20230921160712.99521-1-simon.rowe@nutanix.com

Maintainers: John Snow <jsnow@redhat.com>

hw/ide/core.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)

Expand all Fold all

[PATCH 0/1] CVE-2023-5088

Posted by Simon Rowe 7 months, 2 weeks ago

The attached patch fixes CVE-2023-5088 in which a bug in QEMU could
cause a guest I/O operation otherwise addressed to an arbitrary disk
offset to be targeted to offset 0 instead (potentially overwriting the
VM's boot code). This could be used, for example, by L2 guests with a
virtual disk (vdiskL2) stored on a virtual disk of an L1 (vdiskL1)
hypervisor to read and/or write data to LBA 0 of vdiskL1, potentially
gaining control of L1 at its next reboot.

The symptoms behind this bug have been previously reported as MBR
corruptions and an independent fix has been posted by Fiona Ebner in:

https://lists.gnu.org/archive/html/qemu-devel/2023-08/msg03883.html

Simon Rowe (1):
  hw/ide/core: terminate in-flight DMA on IDE bus reset

 hw/ide/core.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

-- 
2.22.3