Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 365259 (CVE-2011-1751)

Summary: <app-emulation/qemu-kvm-0.14.1-r2: acpi_piix4: missing hotplug check during device removal (CVE-2011-1751)
Product: Gentoo Security Reporter: Stefan Behte (RETIRED) <craig>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: cardoe, jmbsvicetto, lu_zero, tommy
Priority: Highest    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B1 [glsa]
Package list:
Runtime testing required: ---
Deadline: 2011-05-18   

Description Stefan Behte (RETIRED) gentoo-dev Security 2011-04-28 22:40:32 UTC
Hello vendors,

we have been informed by Nelson Elhage of a new security issue in qemu(-kvm).
Details of the issue together with assigned CVE ID, reproducer and patch are
attached.

Another reproducer that actually shows guest -> host escape does exist. There
are some mitigation factors though: ASLR, need for user space networking (in
current exploit, we believe it could be removed though), sVirt. Anyway,
this issue is real and exploitable.

Nelson agreed with a CRD of 2011-05-18 so please consider this issue
embargoed until this date passes.

Thank you,
--
Petr Matousek / Red Hat Security Response Team

------- < patch > -------

Upstream commits:
e8ec0571e16115203f4d6cc7eb31f930167592f8
0965f12da61cbfe62252d21a8e6fa309753760e8
2f6bfe3b0c5bb216abfe015d824eaf84c449c6a5
668643b025dcff72b9b18adb5df794be9e9be5dc
180c22e18b0a9be21445271f94347238b0bc0a25
be92bbf73dfd7d8a4786dc5f6c71590f4fbc5a32

+ (+- some whitespaces)

diff --git a/hw/acpi.c b/hw/acpi.c
index 4898b56..6488742 100644
--- a/hw/acpi.c
+++ b/hw/acpi.c
@@ -802,11 +802,13 @@ static void pciej_write(void *opaque, uint32_t
addr, uint32_t val)
BusState *bus = opaque;
DeviceState *qdev, *next;
PCIDevice *dev;
+ PCIDeviceInfo *info;
int slot = ffs(val) - 1;

QLIST_FOREACH_SAFE(qdev, &bus->children, sibling, next) {
    dev = DO_UPCAST(PCIDevice, qdev, qdev);
    - if (PCI_SLOT(dev->devfn) == slot) {
    + info = container_of(qdev->info, PCIDeviceInfo, qdev);
    + if (PCI_SLOT(dev->devfn) == slot && !info->no_hotplug) {
      qdev_free(qdev);
    }
}

------- < /patch > -------
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2011-04-28 23:04:22 UTC
Please provide an updated ebuild:

a bump is needed for #364889 anyways and I think that issue is nearly as bad as this one.

This one is embargoed for about three weeks, so I think it would be cool if you could bump #364889 for 0.13.x (looks like an easy patch to me) and have 0.14.x with patch for this issue ready in three weeks?

As I have several machines running KVM, I'd be glad to help out: you can catch me IRC or via mail.
Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2011-05-19 21:01:02 UTC
Public now.
Comment 3 Doug Goldstein (RETIRED) gentoo-dev 2011-05-26 00:39:08 UTC
I don't see this in upstream's repo. Any idea where it can be found?
Comment 4 Doug Goldstein (RETIRED) gentoo-dev 2011-05-27 23:13:50 UTC
Fixed in app-emulation/qemu-kvm-0.14.1, which is now in the tree.
Comment 5 Doug Goldstein (RETIRED) gentoo-dev 2011-05-31 05:22:13 UTC
The target stable version will be qemu-kvm-0.14.1-r1
Comment 6 Stefan Behte (RETIRED) gentoo-dev Security 2011-06-20 23:27:43 UTC
When can this go stable?
Comment 7 Agostino Sarubbo gentoo-dev 2011-12-05 20:16:40 UTC
added it to existing glsa request.
Comment 8 Stefan Behte (RETIRED) gentoo-dev Security 2012-01-30 12:07:02 UTC
Stable now, removing dependency.
Comment 9 Stefan Behte (RETIRED) gentoo-dev Security 2012-02-27 21:52:32 UTC
Added to pending GLSA request.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2012-06-27 22:27:32 UTC
CVE-2011-1751 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1751):
  The pciej_write function in hw/acpi_piix4.c in the PIIX4 Power Management
  emulation in qemu-kvm does not check if a device is hotpluggable before
  unplugging the PCI-ISA bridge, which allows privileged guest users to cause
  a denial of service (guest crash) and possibly execute arbitrary code by
  sending a crafted value to the 0xae08 (PCI_EJ_BASE) I/O port, which leads to
  a use-after-free related to "active qemu timers."
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2012-10-18 20:59:19 UTC
This issue was resolved and addressed in
 GLSA 201210-04 at http://security.gentoo.org/glsa/glsa-201210-04.xml
by GLSA coordinator Stefan Behte (craig).