Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20110519103901.GJ5100@dhcp-25-225.brq.redhat.com>
Date: Thu, 19 May 2011 12:39:02 +0200
From: Petr Matousek <pmatouse@...hat.com>
To: oss-security@...ts.openwall.com
Cc: coley@...us.mitre.org, nelhage@...hage.com
Subject: CVE-2011-1751 qemu: acpi_piix4: missing hotplug check during device
 removal

Writing the value 2 to I/O port 0xae08 ("PCI_EJ_BASE") initiates the
PIIX3 PCI-ISA bridge removal. Unplugging this causes all of the ISA
devices to be unplugged and right now the ISA (in particularly the
RTC) devices cannot handle unplug gracefuly.

During MC146818 removal RTCState structure backing the emulated RTC 
is freed but embedded timers are not unlinked from active_timers
list. Next time the timer fires SIGSEGV occurs. RTCState embedds
several QEMUTimer structures that define function pointers
(callbacks) that get called when timer expires.

Since the memory is freed, however, it is possible, under some
circumstances, for the guest to cause a controlled allocation into
the freed space, which can ultimately be exploited for code execution
in the context of the qemu or qemu-kvm process.

Credit: Nelson Elhage

References:
https://bugzilla.redhat.com/show_bug.cgi?id=699773
http://lists.nongnu.org/archive/html/qemu-devel/2011-05/msg01810.html

Thanks,
-- 
Petr Matousek / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.