科技回声

"However, while real X86 processors have a maximum instruction length of 15 bytes, QEMU's instruction decoder for X86 does not place any limit on the instruction and length or the number of instruction prefixes."Interesting, and not your usual type of exploit. Guessing this isn't one that will have the Rust crowd doling out "told ya so" :). Logic error only. No buffer overflow, not much strong types do for you, etc.

> To be clear: As far as I know, this bug only affects the TCG mode (without hardware acceleration), not KVM VMs or so.I wonder what's the reach of that bug.

Not sure why this wasn't duped to <a href="https://news.ycombinator.com/item?id=13921305" rel="nofollow">https://news.ycombinator.com/item?id=13921305</a>

> To be clear: As far as I know, this bug only affects the TCG mode (without hardware acceleration), not KVM VMs or so.I wonder what's the reach of that bug.

Not sure why this wasn't duped to <a href="https://news.ycombinator.com/item?id=13921305" rel="nofollow">https://news.ycombinator.com/item?id=13921305</a>

QEMU: user-to-root privesc inside VM via bad translation caching

3 条评论

QEMU: user-to-root privesc inside VM via bad translation caching

3 条评论