Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 365259 (CVE-2011-1751) - <app-emulation/qemu-kvm-0.14.1-r2: acpi_piix4: missing hotplug check during device removal (CVE-2011-1751)
Summary: <app-emulation/qemu-kvm-0.14.1-r2: acpi_piix4: missing hotplug check during d...
Alias: CVE-2011-1751
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Highest major (vote)
Deadline: 2011-05-18
Assignee: Gentoo Security
Whiteboard: B1 [glsa]
Depends on:
Reported: 2011-04-28 22:40 UTC by Stefan Behte (RETIRED)
Modified: 2012-10-18 20:59 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2011-04-28 22:40:32 UTC
Hello vendors,

we have been informed by Nelson Elhage of a new security issue in qemu(-kvm).
Details of the issue together with assigned CVE ID, reproducer and patch are

Another reproducer that actually shows guest -> host escape does exist. There
are some mitigation factors though: ASLR, need for user space networking (in
current exploit, we believe it could be removed though), sVirt. Anyway,
this issue is real and exploitable.

Nelson agreed with a CRD of 2011-05-18 so please consider this issue
embargoed until this date passes.

Thank you,
Petr Matousek / Red Hat Security Response Team

------- < patch > -------

Upstream commits:

+ (+- some whitespaces)

diff --git a/hw/acpi.c b/hw/acpi.c
index 4898b56..6488742 100644
--- a/hw/acpi.c
+++ b/hw/acpi.c
@@ -802,11 +802,13 @@ static void pciej_write(void *opaque, uint32_t
addr, uint32_t val)
BusState *bus = opaque;
DeviceState *qdev, *next;
PCIDevice *dev;
+ PCIDeviceInfo *info;
int slot = ffs(val) - 1;

QLIST_FOREACH_SAFE(qdev, &bus->children, sibling, next) {
    dev = DO_UPCAST(PCIDevice, qdev, qdev);
    - if (PCI_SLOT(dev->devfn) == slot) {
    + info = container_of(qdev->info, PCIDeviceInfo, qdev);
    + if (PCI_SLOT(dev->devfn) == slot && !info->no_hotplug) {

------- < /patch > -------
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2011-04-28 23:04:22 UTC
Please provide an updated ebuild:

a bump is needed for #364889 anyways and I think that issue is nearly as bad as this one.

This one is embargoed for about three weeks, so I think it would be cool if you could bump #364889 for 0.13.x (looks like an easy patch to me) and have 0.14.x with patch for this issue ready in three weeks?

As I have several machines running KVM, I'd be glad to help out: you can catch me IRC or via mail.
Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2011-05-19 21:01:02 UTC
Public now.
Comment 3 Doug Goldstein (RETIRED) gentoo-dev 2011-05-26 00:39:08 UTC
I don't see this in upstream's repo. Any idea where it can be found?
Comment 4 Doug Goldstein (RETIRED) gentoo-dev 2011-05-27 23:13:50 UTC
Fixed in app-emulation/qemu-kvm-0.14.1, which is now in the tree.
Comment 5 Doug Goldstein (RETIRED) gentoo-dev 2011-05-31 05:22:13 UTC
The target stable version will be qemu-kvm-0.14.1-r1
Comment 6 Stefan Behte (RETIRED) gentoo-dev Security 2011-06-20 23:27:43 UTC
When can this go stable?
Comment 7 Agostino Sarubbo gentoo-dev 2011-12-05 20:16:40 UTC
added it to existing glsa request.
Comment 8 Stefan Behte (RETIRED) gentoo-dev Security 2012-01-30 12:07:02 UTC
Stable now, removing dependency.
Comment 9 Stefan Behte (RETIRED) gentoo-dev Security 2012-02-27 21:52:32 UTC
Added to pending GLSA request.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2012-06-27 22:27:32 UTC
CVE-2011-1751 (
  The pciej_write function in hw/acpi_piix4.c in the PIIX4 Power Management
  emulation in qemu-kvm does not check if a device is hotpluggable before
  unplugging the PCI-ISA bridge, which allows privileged guest users to cause
  a denial of service (guest crash) and possibly execute arbitrary code by
  sending a crafted value to the 0xae08 (PCI_EJ_BASE) I/O port, which leads to
  a use-after-free related to "active qemu timers."
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2012-10-18 20:59:19 UTC
This issue was resolved and addressed in
 GLSA 201210-04 at
by GLSA coordinator Stefan Behte (craig).