On 4/11/20 11:36 PM, Peter Maydell wrote: > On Sat, 11 Apr 2020 at 20:45, Philippe Mathieu-Daudé <f4...@amsat.org> wrote: >> Buffer overflows are security issues because they allow attacker to >> arbitrarily write data in the process memory, and eventually take >> control of it. When attacker takes control, it can access underlying >> private data. > > Note that for QEMU our security boundary is "VMs using KVM"; so > buffer overflows are a security issue in code and devices that > you can use in a KVM setup (including pluggable devices like > PCI devices) but not devices you can only use in a TCG setup > (where they're just bugs, though obviously ones we should > fix sooner rather than later).
"VMs using KVM" as security boundary is very clear, thanks. Note 1: This this doesn't appear on the QEMU security process description: https://www.qemu.org/contribute/security-process/ Note 2: If a reported bug is not in security boundary, it should be reported as a bug to mainstream QEMU, to give the community a chance to fix it. Regards, Phil. > > thanks > -- PMM >
