Hello vendors, we have been informed by Nelson Elhage of a new security issue in qemu(-kvm). Details of the issue together with assigned CVE ID, reproducer and patch are attached. Another reproducer that actually shows guest -> host escape does exist. There are some mitigation factors though: ASLR, need for user space networking (in current exploit, we believe it could be removed though), sVirt. Anyway, this issue is real and exploitable. Nelson agreed with a CRD of 2011-05-18 so please consider this issue embargoed until this date passes. Thank you, -- Petr Matousek / Red Hat Security Response Team ------- < patch > ------- Upstream commits: e8ec0571e16115203f4d6cc7eb31f930167592f8 0965f12da61cbfe62252d21a8e6fa309753760e8 2f6bfe3b0c5bb216abfe015d824eaf84c449c6a5 668643b025dcff72b9b18adb5df794be9e9be5dc 180c22e18b0a9be21445271f94347238b0bc0a25 be92bbf73dfd7d8a4786dc5f6c71590f4fbc5a32 + (+- some whitespaces) diff --git a/hw/acpi.c b/hw/acpi.c index 4898b56..6488742 100644 --- a/hw/acpi.c +++ b/hw/acpi.c @@ -802,11 +802,13 @@ static void pciej_write(void *opaque, uint32_t addr, uint32_t val) BusState *bus = opaque; DeviceState *qdev, *next; PCIDevice *dev; + PCIDeviceInfo *info; int slot = ffs(val) - 1; QLIST_FOREACH_SAFE(qdev, &bus->children, sibling, next) { dev = DO_UPCAST(PCIDevice, qdev, qdev); - if (PCI_SLOT(dev->devfn) == slot) { + info = container_of(qdev->info, PCIDeviceInfo, qdev); + if (PCI_SLOT(dev->devfn) == slot && !info->no_hotplug) { qdev_free(qdev); } } ------- < /patch > -------
Please provide an updated ebuild: a bump is needed for #364889 anyways and I think that issue is nearly as bad as this one. This one is embargoed for about three weeks, so I think it would be cool if you could bump #364889 for 0.13.x (looks like an easy patch to me) and have 0.14.x with patch for this issue ready in three weeks? As I have several machines running KVM, I'd be glad to help out: you can catch me IRC or via mail.
Public now.
I don't see this in upstream's repo. Any idea where it can be found?
Fixed in app-emulation/qemu-kvm-0.14.1, which is now in the tree.
The target stable version will be qemu-kvm-0.14.1-r1
When can this go stable?
added it to existing glsa request.
Stable now, removing dependency.
Added to pending GLSA request.
CVE-2011-1751 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1751): The pciej_write function in hw/acpi_piix4.c in the PIIX4 Power Management emulation in qemu-kvm does not check if a device is hotpluggable before unplugging the PCI-ISA bridge, which allows privileged guest users to cause a denial of service (guest crash) and possibly execute arbitrary code by sending a crafted value to the 0xae08 (PCI_EJ_BASE) I/O port, which leads to a use-after-free related to "active qemu timers."
This issue was resolved and addressed in GLSA 201210-04 at http://security.gentoo.org/glsa/glsa-201210-04.xml by GLSA coordinator Stefan Behte (craig).