oss-sec mailing list archives

CVE request -- qxl: synchronous io guest DoS

From: Petr Matousek <pmatouse () redhat com>
Date: Wed, 30 Jan 2013 17:37:32 +0100

A flaw was found in the way spice connection breakups were handled in
the qemu-kvm qxl driver. Some of the qxl port i/o commands were waiting
for the spice server to complete the actions, while the corresponding
thread holds qemu_mutex mutex, potentially blocking other threads in the
guest's qemu-kvm process. An user able to initiate spice connection to
the guest could use this flaw to make guest temporarily unavailable or,
in case kernel.softlockup_panic in the guest was set, crash the guest.

Upstream fixes:
xf86-video-qxl commit
http://cgit.freedesktop.org/xorg/driver/xf86-video-qxl/commit/?id=30b4b72cdbdf9f0e92a8d1c4e01779f60f15a741

which relies on qemu-kvm functionality introduced by commit
http://git.kernel.org/?p=virt/kvm/qemu-kvm.git;a=commit;h=5ff4e36c

References:
https://bugzilla.redhat.com/show_bug.cgi?id=906032

Thanks,
-- 
Petr Matousek / Red Hat Security Response Team

Current thread:

CVE request -- qxl: synchronous io guest DoS Petr Matousek (Jan 30)
- Re: CVE request -- qxl: synchronous io guest DoS Kurt Seifried (Jan 30)