search for: toctou

There is another concept that I neglected to mention. In cases where something is checked and then later used there is a gap of time when the thing that was checked might be moved out of the way and replaced with a different thing before it is used. That's a classic race condition attack. There is really nothing to attack here but the concept is the same. In that case adding the directory

Hi I found this issue in scp in the following blog link http://oldpapyrus.wordpress.com/2012/08/08/scp-a-funny-error/ when the wrong local file name is specified in local to remote transfer mode, scp first tries to establish the connection rather than to check first whether the file is proper or not. However I could not find a reported bug for this. I am attaching the fix as patch for this

...possible e.g using indirect descriptors or other. 2) Malicious VM2 generate packets to VM1 as fast as possible Fixing this by checking against weight at the end of RX and TX loop. This also eliminate other similar cases when: - userspace is consuming the packets in the meanwhile - theoretical TOCTOU attack if guest moving avail index back and forth to hit the continue after vhost find guest just add new buffers This addresses CVE-2019-3900. Fixes: d8316f3991d20 ("vhost: fix total length when packets are too short") Fixes: 3a4d5c94e9593 ("vhost_net: a kernel-level virtio serv...

...possible e.g using indirect descriptors or other. 2) Malicious VM2 generate packets to VM1 as fast as possible Fixing this by checking against weight at the end of RX and TX loop. This also eliminate other similar cases when: - userspace is consuming the packets in the meanwhile - theoretical TOCTOU attack if guest moving avail index back and forth to hit the continue after vhost find guest just add new buffers This addresses CVE-2019-3900. Fixes: d8316f3991d20 ("vhost: fix total length when packets are too short") Fixes: 3a4d5c94e9593 ("vhost_net: a kernel-level virtio serv...

...everyone pretty much do their own ad-hoc thing? Thing 5: Is there any way to tell the ssh client "try to connect using path/to/my-ctl.socket, and if it doesn't work, then exit with an error code"? I originally had a long rant written here how -O check is not suitable because it has a TOCTOU issue. Namely, the persist timeout could expire after the check but before trying to connect. But it turns out that merely checking resets the timer, so this is not likely to be an issue in practice after all. I still wish I didn't have to use it because it means I have to launch an extra proce...

Hi In my program , When libvirtd restart , the old libvirtd connection(virConnectPtr) has to reconnect, Before usr old virConnectPtr , I call virConnectIsAlive. but when I restart libvirtd , virConnectIsAlive return 1, and I continue other operate use the old virConnectPtr, program will receive signal pipe. I use libvirt event. before any api use, I call virEventRegisterDefaultImpl, and

...; 2) Malicious VM2 generate packets to VM1 as fast as possible >> >> Fixing this by checking against weight at the end of RX and TX >> loop. This also eliminate other similar cases when: >> >> - userspace is consuming the packets in the meanwhile >> - theoretical TOCTOU attack if guest moving avail index back and forth >> to hit the continue after vhost find guest just add new buffers >> >> This addresses CVE-2019-3900. >> >> Fixes: d8316f3991d20 ("vhost: fix total length when packets are too short") > I agree this is...

...; 2) Malicious VM2 generate packets to VM1 as fast as possible >> >> Fixing this by checking against weight at the end of RX and TX >> loop. This also eliminate other similar cases when: >> >> - userspace is consuming the packets in the meanwhile >> - theoretical TOCTOU attack if guest moving avail index back and forth >> to hit the continue after vhost find guest just add new buffers >> >> This addresses CVE-2019-3900. >> >> Fixes: d8316f3991d20 ("vhost: fix total length when packets are too short") > I agree this is...

...everyone pretty much do their own ad-hoc thing? Thing 5: Is there any way to tell the ssh client "try to connect using path/to/my-ctl.socket, and if it doesn't work, then exit with an error code"? I originally had a long rant written here how -O check is not suitable because it has a TOCTOU issue. Namely, the persist timeout could expire after the check but before trying to connect. But it turns out that merely checking resets the timer, so this is not likely to be an issue in practice after all. I still wish I didn't have to use it because it means I have to launch an extra proce...

...> > > > > > > Fixing this by checking against weight at the end of RX and TX > > > > loop. This also eliminate other similar cases when: > > > > > > > > - userspace is consuming the packets in the meanwhile > > > > - theoretical TOCTOU attack if guest moving avail index back and forth > > > > ?? to hit the continue after vhost find guest just add new buffers > > > > > > > > This addresses CVE-2019-3900. > > > > > > > > Fixes: d8316f3991d20 ("vhost: fix total lengt...

...> > > > > > > Fixing this by checking against weight at the end of RX and TX > > > > loop. This also eliminate other similar cases when: > > > > > > > > - userspace is consuming the packets in the meanwhile > > > > - theoretical TOCTOU attack if guest moving avail index back and forth > > > > ?? to hit the continue after vhost find guest just add new buffers > > > > > > > > This addresses CVE-2019-3900. > > > > > > > > Fixes: d8316f3991d20 ("vhost: fix total lengt...

...or > other. > 2) Malicious VM2 generate packets to VM1 as fast as possible > > Fixing this by checking against weight at the end of RX and TX > loop. This also eliminate other similar cases when: > > - userspace is consuming the packets in the meanwhile > - theoretical TOCTOU attack if guest moving avail index back and forth > to hit the continue after vhost find guest just add new buffers > > This addresses CVE-2019-3900. > > Fixes: d8316f3991d20 ("vhost: fix total length when packets are too short") I agree this is the real issue. > F...

...ate packets to VM1 as fast as possible >>> >>> Fixing this by checking against weight at the end of RX and TX >>> loop. This also eliminate other similar cases when: >>> >>> - userspace is consuming the packets in the meanwhile >>> - theoretical TOCTOU attack if guest moving avail index back and forth >>> ?? to hit the continue after vhost find guest just add new buffers >>> >>> This addresses CVE-2019-3900. >>> >>> Fixes: d8316f3991d20 ("vhost: fix total length when packets are too >>>...

...gt;>> >>>>> Fixing this by checking against weight at the end of RX and TX >>>>> loop. This also eliminate other similar cases when: >>>>> >>>>> - userspace is consuming the packets in the meanwhile >>>>> - theoretical TOCTOU attack if guest moving avail index back and forth >>>>> ?? to hit the continue after vhost find guest just add new buffers >>>>> >>>>> This addresses CVE-2019-3900. >>>>> >>>>> Fixes: d8316f3991d20 ("vhost: fix total l...

...ng this by checking against weight at the end of RX and TX > > > > > > loop. This also eliminate other similar cases when: > > > > > > > > > > > > - userspace is consuming the packets in the meanwhile > > > > > > - theoretical TOCTOU attack if guest moving avail index back and forth > > > > > > ?? to hit the continue after vhost find guest just add new buffers > > > > > > > > > > > > This addresses CVE-2019-3900. > > > > > > > > > > > >...

Hi: This series try to prvernt a guest triggerable CPU hogging through vhost kthread. This is done by introducing and checking the weight after each requrest. The patch has been tested with reproducer of vsock and virtio-net. Only compile test is done for vhost-scsi. Please review. This addresses CVE-2019-3900. Jason Wang (4): vhost: introduce vhost_exceeds_weight() vhost_net: fix possible

...rease_reservation or populate_physmap, specific physical pageframes are not assigned to the domain because this cannot be done sufficiently quickly (especially for very large allocations in an arbitrarily fragmented system) and so the existing mechanisms result in classic time-of-check-time-of-use (TOCTOU) races. One can think of claiming as similar to a "lazy" allocation, but subsequent hypercalls are required to do the actual physical pageframe allocation. I don''t have a patch for the toolstack side, but I envision a "xl create --claim" option to maximize backwards c...

Hi: This series try to prevent a guest triggerable CPU hogging through vhost kthread. This is done by introducing and checking the weight after each requrest. The patch has been tested with reproducer of vsock and virtio-net. Only compile test is done for vhost-scsi. Please review. This addresses CVE-2019-3900. Changs from V1: - fix user-ater-free in vosck patch Jason Wang (4): vhost:

Hi: This series try to prevent a guest triggerable CPU hogging through vhost kthread. This is done by introducing and checking the weight after each requrest. The patch has been tested with reproducer of vsock and virtio-net. Only compile test is done for vhost-scsi. Please review. This addresses CVE-2019-3900. Changs from V1: - fix user-ater-free in vosck patch Jason Wang (4): vhost:

Add vscsiif.h Signed-off-by: Tomonari Horikoshi <t.horikoshi@jp.fujitsu.com> Signed-off-by: Jun Kamada <kama@jp.fujitsu.com> Signed-off-by: Akira Hayakawa <hayakawa.akira@jp.fujitsu.com> ----- Jun Kamada _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel