First published: Thu Sep 26 2013(Updated: )
A dangling pointer access flaw was found in the way qemu handled hot-unplugging virtio devices. This flaw was introduced by virtio refactoring and exists in the virtio-pci implementation. When the virtio-blk-pci device is deleted, the virtio-blk-device is removed first (removal is done in post-order). Later, the virtio-blk-device is accessed again, but proxy->vdev->vq is no longer valid (a dangling pointer) and kvm_set_ioeventfd_pio fails. A privileged guest user could use this flaw to crash the qemu process on the host system, causing a denial of service to it and any other running virtual machines. Patches are available at <a href="http://thread.gmane.org/gmane.comp.emulators.qemu/234440">http://thread.gmane.org/gmane.comp.emulators.qemu/234440</a> Acknowledgements: This issue was discovered by Sibiao Luo of Red Hat.
Credit: secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
QEMU qemu | =1.4.0 | |
QEMU qemu | =1.4.1 | |
QEMU qemu | =1.4.2 | |
QEMU qemu | =1.5.0 | |
QEMU qemu | =1.5.0-rc1 | |
QEMU qemu | =1.5.0-rc2 | |
QEMU qemu | =1.5.0-rc3 | |
QEMU qemu | =1.5.1 | |
QEMU qemu | =1.5.2 | |
QEMU qemu | =1.5.3 | |
QEMU qemu | =1.6.0 | |
QEMU qemu | =1.6.0-rc1 | |
QEMU qemu | =1.6.0-rc2 | |
QEMU qemu | =1.6.0-rc3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.