Date: Thu, 19 May 2011 12:39:02 +0200 From: Petr Matousek <pmatouse@...hat.com> To: oss-security@...ts.openwall.com Cc: coley@...us.mitre.org, nelhage@...hage.com Subject: CVE-2011-1751 qemu: acpi_piix4: missing hotplug check during device removal Writing the value 2 to I/O port 0xae08 ("PCI_EJ_BASE") initiates the PIIX3 PCI-ISA bridge removal. Unplugging this causes all of the ISA devices to be unplugged and right now the ISA (in particularly the RTC) devices cannot handle unplug gracefuly. During MC146818 removal RTCState structure backing the emulated RTC is freed but embedded timers are not unlinked from active_timers list. Next time the timer fires SIGSEGV occurs. RTCState embedds several QEMUTimer structures that define function pointers (callbacks) that get called when timer expires. Since the memory is freed, however, it is possible, under some circumstances, for the guest to cause a controlled allocation into the freed space, which can ultimately be exploited for code execution in the context of the qemu or qemu-kvm process. Credit: Nelson Elhage References: https://bugzilla.redhat.com/show_bug.cgi?id=699773 http://lists.nongnu.org/archive/html/qemu-devel/2011-05/msg01810.html Thanks, -- Petr Matousek / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ