On 19/05/2017 11:46, Wanpeng Li wrote: > From: Wanpeng Li <wanpeng.li@xxxxxxxxxxx> > > Huawei folks reported a read out-of-bounds vulnerability in kvm pio emulation. > > - "inb" instruction to access PIT Mod/Command register (ioport 0x43, write only, > a read should be ignored) in guest can get a random number. > - "rep insb" instruction to access PIT register port 0x43 can control memcpy() > in emulator_pio_in_emulated() to copy max 0x400 bytes but only read 1 bytes, > which will disclose the unimportant kernel memory in host but no crash. The data comes simply from the last PIO read, right? The vcpu struct is zero-initialized, so there is no kernel memory leak---the byte was already previously known to the guest. Good catch though, and the patch looks good. Thanks, Paolo > The similar test program below can reproduce the read out-of-bounds vulnerability:
