Re: [Qemu-devel] [PATCH 0/1] display/bochs: fix pcie support (qemu security issue)

[Peter Maydell]

On Mon, 12 Aug 2019 at 16:48, Alex Williamson
<address@hidden> wrote:
>
> On Mon, 12 Aug 2019 16:38:05 +0100
> Peter Maydell <address@hidden> wrote:
>
> > On Mon, 12 Aug 2019 at 16:35, Alex Williamson
> > <address@hidden> wrote:
> > > Quoting new commit log:
> > >
> > >         This makes sure the pci config space allocation is big enough,
> > >         so accessing the PCIe extended config space doesn't overflow
> > >         the pci config space buffer.
> > >
> > >         PCI(e) config space is guest writable.  Writes are limited
> > >         bywrite mask (which probably is also filled with random stuff),
> > >         so the guest can only flip enabled bits.  But I suspect it
> > >         still might be exploitable, so rather serious because it might
> > >         be a host escape for the guest.  On the other hand the device
> > >         is probably not yet in widespread use.
> > >
> > >         Mitigation: use "-device bochs-display" as conventional pci
> > >         device only.
> > >
> > > Is it clear to others that this mitigation remark seems to be
> > > referencing an alternative configuration constraint to avoid the issue
> > > rather than what's actually implemented in this patch?  IOW, if we
> > > never place the bochs-display device into a PCIe hierarchy, then
> > > extended config space is never accessible to the guest anyway, and
> > > there is no issue.  I think this was meant to be an alternative to the
> > > patch but the enforcement of that would happen above QEMU, probably why
> > > it was mentioned in the cover letter rather than the original commit
> > > log.  Thanks,
> >
> > Yeah, that's unclear in retrospect. How about:
> >
> > # (For a QEMU version without this commit, a mitigation for the
> > # bug is available: use "-device bochs-display" as a conventional pci
> > # device only.)
>
> Yes, better.  Thanks,

Cool. Updated commit message now pushed to master.

-- PMM