[Secure-testing-team] Bug#631975: OOB memory access caused by negative vq notifies (CVE pending)
Michael Tokarev
mjt at tls.msk.ru
Tue Jun 28 20:31:04 UTC 2011
Package: qemu-kvm
Version: 0.12.5+dfsg-5+squeeze3
Severity: grave
Tags: upstream security squeeze sid
The virtio_queue_notify() function checks that the virtqueue number is
less than the maximum number of virtqueues. A signed comparison is used
but the virtqueue number could be negative if a buggy or malicious guest
is run. This results in memory accesses outside of the virtqueue array.
This can be triggered by malicious guest - unprivileged guest user can
either crash the qemu process or, possible, gain extra privileges on
the host.
Additional information:
http://patchwork.ozlabs.org/patch/94604/ (upstream patch)
https://bugzilla.redhat.com/show_bug.cgi?id=717399
The problem affects both sqeeze and sid versions. It is present in
lenny too, but that one is hopeless (we should provide fixes for
lenny backports instead).
More information about the Secure-testing-team
mailing list