blob: bf42072a671ac225271cdc4e789a96136dacfa89 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
|
device: 0.730
files: 0.677
vnc: 0.657
graphic: 0.588
ppc: 0.573
mistranslation: 0.531
permissions: 0.492
socket: 0.470
register: 0.465
semantic: 0.438
network: 0.423
PID: 0.397
TCG: 0.388
risc-v: 0.365
VMM: 0.362
architecture: 0.348
boot: 0.305
arm: 0.297
debug: 0.286
i386: 0.191
performance: 0.136
kernel: 0.131
virtual: 0.127
x86: 0.126
assembly: 0.114
user-level: 0.095
peripherals: 0.079
KVM: 0.078
hypervisor: 0.042
In windows host, tftp arbitrary file read vulnerability
https://github.com/qemu/qemu/blob/master/slirp/tftp.c#L343
if (!strncmp(req_fname, "../", 3) ||
req_fname[strlen(req_fname) - 1] == '/' ||
strstr(req_fname, "/../")) {
tftp_send_error(spt, 2, "Access violation", tp);
return;
}
There are file path check for not allowing escape tftp directory.
But, in windows, file path is separated by "\" backslash.
So, guest can read arbitrary file in Windows host.
This is fixed upstream by https://gitlab.freedesktop.org/slirp/libslirp/commit/14ec36e107a8c9af7d0a80c3571fe39b291ff1d4
|
