thr3ads.net - Secure testing team - [Secure-testing-team] Bug#631975: OOB memory access caused by negative vq notifies (CVE pending) [Jun 2011]

If this information is useful, please help other people find it:
Share via:

Michael Tokarev

2011-Jun-28 20:31 UTC

[Secure-testing-team] Bug#631975: OOB memory access caused by negative vq notifies (CVE pending)

Package: qemu-kvm
Version: 0.12.5+dfsg-5+squeeze3
Severity: grave
Tags: upstream security squeeze sid

The virtio_queue_notify() function checks that the virtqueue number is
less than the maximum number of virtqueues.  A signed comparison is used
but the virtqueue number could be negative if a buggy or malicious guest
is run.  This results in memory accesses outside of the virtqueue array.

This can be triggered by malicious guest - unprivileged guest user can
either crash the qemu process or, possible, gain extra privileges on
the host.

Additional information:
http://patchwork.ozlabs.org/patch/94604/ (upstream patch)
https://bugzilla.redhat.com/show_bug.cgi?id=717399

The problem affects both sqeeze and sid versions.  It is present in
lenny too, but that one is hopeless (we should provide fixes for
lenny backports instead).

Secure testing team - Jun 2011 - Bug#631975: OOB memory access caused by negative vq notifies (CVE pending)

[Secure-testing-team] Bug#631975: OOB memory access caused by negative vq notifies (CVE pending)