On 19/05/2017 11:46, Wanpeng Li wrote: > From: Wanpeng Li <[email protected]> > > Huawei folks reported a read out-of-bounds vulnerability in kvm pio emulation. > > - "inb" instruction to access PIT Mod/Command register (ioport 0x43, write > only, > a read should be ignored) in guest can get a random number. > - "rep insb" instruction to access PIT register port 0x43 can control > memcpy() > in emulator_pio_in_emulated() to copy max 0x400 bytes but only read 1 > bytes, > which will disclose the unimportant kernel memory in host but no crash.
The data comes simply from the last PIO read, right? The vcpu struct is zero-initialized, so there is no kernel memory leak---the byte was already previously known to the guest. Good catch though, and the patch looks good. Thanks, Paolo > The similar test program below can reproduce the read out-of-bounds > vulnerability:
