oss-sec mailing list archives
CVE request -- qxl: synchronous io guest DoS
From: Petr Matousek <pmatouse () redhat com>
Date: Wed, 30 Jan 2013 17:37:32 +0100
A flaw was found in the way spice connection breakups were handled in the qemu-kvm qxl driver. Some of the qxl port i/o commands were waiting for the spice server to complete the actions, while the corresponding thread holds qemu_mutex mutex, potentially blocking other threads in the guest's qemu-kvm process. An user able to initiate spice connection to the guest could use this flaw to make guest temporarily unavailable or, in case kernel.softlockup_panic in the guest was set, crash the guest. Upstream fixes: xf86-video-qxl commit http://cgit.freedesktop.org/xorg/driver/xf86-video-qxl/commit/?id=30b4b72cdbdf9f0e92a8d1c4e01779f60f15a741 which relies on qemu-kvm functionality introduced by commit http://git.kernel.org/?p=virt/kvm/qemu-kvm.git;a=commit;h=5ff4e36c References: https://bugzilla.redhat.com/show_bug.cgi?id=906032 Thanks, -- Petr Matousek / Red Hat Security Response Team
Current thread:
- CVE request -- qxl: synchronous io guest DoS Petr Matousek (Jan 30)
- Re: CVE request -- qxl: synchronous io guest DoS Kurt Seifried (Jan 30)