On 25/09/2019 22.51, Philippe Mathieu-Daudé wrote: [...] > Let's say I have write access to a LAN TFTP server used by some PXE > bootloader where I can store my crafted nasty kernel, then I get this score: > > https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C&version=3.1 > > CVSS Base Score: 9.6 > CVSS Temporal Score: 8.6 > > Which seems quite high.
I don't think you can trigger this bug this way. If you load your kernel via a PXE server, the ELF parsing will be done by the bootloader, won't it? I think you can only trigger this bug here if you load your kernel via the "-kernel" command line parameter of QEMU (or the generic-loader device), so it's not a real guest escape, as far as I can see. Thomas
