QEMU(TCG): user-to-root privesc inside VM via bad translation caching (chromium.org)
"However, while real X86 processors have a maximum instruction length of 15 bytes, QEMU's instruction decoder for X86 does not place any limit on the instruction and length or the number of instruction prefixes."

Interesting, and not your usual type of exploit. Guessing this isn't one that will have the Rust crowd doling out "told ya so" :). Logic error only. No buffer overflow, not much strong types do for you, etc.

Well, look on the bright side: once we eliminate the boring old memory safety bugs, and the XSS, and the SQL injection, the exploits that remain will at least be interesting.

> To be clear: As far as I know, this bug only affects the TCG mode (without hardware acceleration), not KVM VMs or so.

I wonder what's the reach of that bug.

As the bug seems to rely on a maximum instruction length that is present in hardware x86 but not in QEMU's x86, the reach of this particular bug seems to be just the software emulated mode.

Yes, I get that. I was wondering how widely used is qemu in x86 software mode

It might be used for special applications, but not for your typical server that is connected to the internet, simply because it's horribly slow compared to the virtualization support (VT-x / AMD-V) most modern CPUs offer since at least 2010.

Right, if you're running on x86 hardware. The use case is probably non-x86 hardware running x86 VMs.

For example, I remember using qemu to emulate RPi with ARM software emulation on my x86 machine.

