One mention of this bug says it can be used to crash a guest by an unprivileged user, or possibly elevate privileges on the host. From the upstream bug at $URL: The virtio_queue_notify() function checks that the virtqueue number is less than the maximum number of virtqueues. A signed comparison is used but the virtqueue number could be negative if a buggy or malicious guest is run. This results in memory accesses outside of the virtqueue array. It is risky doing input validation in common code instead of at the guest<->host boundary. Note that virtio_queue_set_addr(), virtio_queue_get_addr(), virtio_queue_get_num(), and many other virtio functions do *not* validate the virtqueue number argument. Instead of fixing the comparison in virtio_queue_notify(), move the comparison to the virtio bindings (just like VIRTIO_PCI_QUEUE_SEL) where we have a uint32_t value and can avoid ever calling into common virtio code if the virtqueue number is invalid.
This patch is included in qemu-kvm-1.0.
Added to pending GLSA request.
stabilization target: app-emulation/qemu-kvm-1.0-r3 target keywords: amd64 x86
USE="spice" yields the following: The following keyword changes are necessary to proceed: #required by app-emulation/spice-0.10.1[smartcard], required by app-emulation/qemu-kvm-1.0-r3[spice], required by =app-emulation/qemu-kvm-1.0-r3 (argument) =app-emulation/libcacard-0.1.2 ~amd64 #required by app-emulation/libcacard-0.1.2, required by app-emulation/spice-0.10.1[smartcard], required by app-emulation/qemu-kvm-1.0-r3[spice], required by =app-emulation/qemu-kvm-1.0-r3 (argument) =sys-apps/pcsc-lite-1.8.2 ~amd64 still going
amd64 ok
(In reply to comment #4) > USE="spice" yields the following: > The following keyword changes are necessary to proceed: > #required by app-emulation/spice-0.10.1[smartcard], required by > app-emulation/qemu-kvm-1.0-r3[spice], required by > =app-emulation/qemu-kvm-1.0-r3 (argument) > > =app-emulation/libcacard-0.1.2 ~amd64 > > #required by app-emulation/libcacard-0.1.2, required by > app-emulation/spice-0.10.1[smartcard], required by > app-emulation/qemu-kvm-1.0-r3[spice], required by > =app-emulation/qemu-kvm-1.0-r3 (argument) > > =sys-apps/pcsc-lite-1.8.2 ~amd64 > > still going If you follow the depend chain, I requested app-emulation/spice-0.10.0 to be stable in bug #407357. It does not have any depends on smart card bits or libs.
I apologize. It appears it was updated to say 0.10.1 but we only need 0.10.0.
amd64 stable
Sorry for the bugspam, but qemu-kvm-1.0* does not work out of the box (with libvirt). bug 408977
@x86 you probably will continue in bug 411501. Feel free to stabilize it in the meantime
(In reply to comment #10) > @x86 > > you probably will continue in bug 411501. Feel free to stabilize it in the > meantime My bad, that bug is invalid, please continue. Apologize for mailspam
x86 stable
This issue was resolved and addressed in GLSA 201210-04 at http://security.gentoo.org/glsa/glsa-201210-04.xml by GLSA coordinator Stefan Behte (craig).