'Re: [oss-security] CVE request: qemu-kvm: OOB memory access caused'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request: qemu-kvm: OOB memory access caused
From:       Josh Bressers <bressers () redhat ! com>
Date:       2011-06-29 19:58:03
Message-ID: 667287819.1024512.1309377483164.JavaMail.root () zmail01 ! collab ! prod ! int ! phx2 ! redhat ! com
[Download RAW message or body]

Please use CVE-2011-2512.

Thanks.

-- 
    JB

----- Original Message -----
> The virtio_queue_notify() function checks that the virtqueue number is
> less than the maximum number of virtqueues. A signed comparison is
> used but the virtqueue number could be negative if a buggy or
> malicious
> guest is run. This results in memory accesses outside of the virtqueue
> array.
> 
> To trigger this issue the attacker needs to issue 32bit write to Queue
> Notify field of Virtio Header in the virtio pci config space even
> though
> the field is 16bit only by specs. Qemu-kvm allows that for the moment
> and provides whole 32bit value to the underlying functions.
> 
> Unprivileged guest user could use this flaw to crash the guest (denial
> of service) or, possibly, escalate their privileges on the host.
> 
> Upstream patch:
> http://patchwork.ozlabs.org/patch/94604/
> 
> References:
> https://bugzilla.redhat.com/show_bug.cgi?id=717399
> http://patchwork.ozlabs.org/patch/94604/
> 
> Thanks,
> --
> Petr Matousek / Red Hat Security Response Team
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic