oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE request: qemu host crash from within guest

From: Vincent Danen <vdanen () redhat com>
Date: Thu, 26 Sep 2013 12:39:10 -0600
Could a CVE be assigned to the following?

A dangling pointer access flaw was found in the way qemu handled
hot-unplugging virtio devices.  This flaw was introduced by virtio
refactoring and exists in the virtio-pci implementation.  When the
virtio-blk-pci device is deleted, the virtio-blk-device is removed first
(removal is done in post-order).  Later, the virtio-blk-device is
accessed again, but proxy->vdev->vq is no longer valid (a dangling
pointer) and kvm_set_ioeventfd_pio fails.

A privileged guest user could use this flaw to crash the qemu process on
the host system, causing a denial of service to it and any other running
virtual machines.

References:

https://bugzilla.redhat.com/show_bug.cgi?id=1012633
http://thread.gmane.org/gmane.comp.emulators.qemu/234440

--
Vincent Danen / Red Hat Security Response Team
Previous By Date Next
Previous By Thread Next

Current thread: