Bug 1012633 (CVE-2013-4377)

Summary: CVE-2013-4377 qemu: hot-unplugging virtio devices in guest can crash host qemu process
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: amit.shah, areis, berrange, cfergeau, dwmw2, ehabkost, itamar, jrusnack, knoel, mtosatti, pbonzini, pfrields, rbalakri, rjones, scottt.tw, virt-maint, virt-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-29 13:39:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 983344, 1012641    
Bug Blocks:    

Description Vincent Danen 2013-09-26 18:26:50 UTC 
A dangling pointer access flaw was found in the way qemu handled hot-unplugging virtio devices.  This flaw was introduced by virtio refactoring and exists in the virtio-pci implementation.  When the virtio-blk-pci device is deleted, the virtio-blk-device is removed first (removal is done in post-order).  Later, the virtio-blk-device is accessed again, but proxy->vdev->vq is no longer valid (a dangling pointer) and kvm_set_ioeventfd_pio fails.

A privileged guest user could use this flaw to crash the qemu process on the host system, causing a denial of service to it and any other running virtual machines.

Patches are available at http://thread.gmane.org/gmane.comp.emulators.qemu/234440


Acknowledgements:

This issue was discovered by Sibiao Luo of Red Hat.
Comment 1 Vincent Danen 2013-09-26 18:40:58 UTC 
CVE request:

http://www.openwall.com/lists/oss-security/2013/09/26/4
Comment 2 Vincent Danen 2013-09-26 18:45:14 UTC 
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1012641]
Comment 3 Vincent Danen 2013-09-26 22:17:46 UTC 
This flaw was introduced in qemu version 1.4.0.
Comment 4 Vincent Danen 2013-09-26 22:18:57 UTC 
This was assigned CVE-2013-4377:

http://www.openwall.com/lists/oss-security/2013/09/26/5
Comment 5 Vincent Danen 2013-09-26 22:20:03 UTC 
Statement:

Not vulnerable.  This issue did not affect the version of qemu-kvm as shipped in Red Hat Enterprise Linux 5 and 6.
Comment 6 Fedora Update System 2013-10-15 06:37:10 UTC 
qemu-1.6.0-10.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.