[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 1/1] hw/ide/core: terminate in-flight DMA on IDE bus reset
|
From: |
Fiona Ebner |
|
Subject: |
Re: [PATCH 1/1] hw/ide/core: terminate in-flight DMA on IDE bus reset |
|
Date: |
Thu, 28 Sep 2023 13:23:11 +0200 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.15.1 |
Am 26.09.23 um 16:45 schrieb John Snow:
>
>
> On Tue, Sep 26, 2023, 3:11 AM Fiona Ebner <f.ebner@proxmox.com
> <mailto:f.ebner@proxmox.com>> wrote:
>
> Am 25.09.23 um 21:53 schrieb John Snow:
> > On Thu, Sep 21, 2023 at 12:07 PM Simon Rowe
> <simon.rowe@nutanix.com <mailto:simon.rowe@nutanix.com>> wrote:
> >>
> >> When an IDE controller is reset, its internal state is being cleared
> >> before any outstanding I/O is cancelled. If a response to DMA is
> >> received in this window, the aio callback will incorrectly continue
> >> with the next part of the transfer (now using sector 0 from
> >> the cleared controller state).
> >
> > Eugh, yikes. It feels like we should fix the cancellation ...
> Please note that there already is a patch for that on the list:
> https://lists.nongnu.org/archive/html/qemu-devel/2023-09/msg01011.html
> <https://lists.nongnu.org/archive/html/qemu-devel/2023-09/msg01011.html>
>
> Best Regards,
> Fiona
>
>
> Gotcha, thanks for the pointer. I wonder if that's sufficient to fix the
> CVE here? I don't have the reproducer in my hands (that I know of ...
> it's genuinely possible I missed it, apologies)
>
AFAICT, yes, because the DMA callback is invoked before resetting the
state now. But not 100% sure if it can't be triggered in some other way,
maybe Simon knows more? I don't have a reproducer for the CVE either,
but the second patch after the one linked above adds a qtest for the
reset scenario.
Best Regards,
Fiona