Previously, system calls to the address_space_to_flatview function in some cases targeted functions that were not sufficiently synchronized by the read-copy-update (RCU) mechanism. This was a potential security risk. The affected system calls have been fixed, and they can no longer be used as a vector for malicious code.
When introducing of flatview_{read,write}, calls to address_space_to_flatview were placed outside RCU critical sections.
This is wrong and has to be fixed; even though it is unlikely to happen with standard operating systems, malicious code could use it to trigger use-after-free and heap corruption.
Patches posted upstream at:
http://patchew.org/QEMU/20180305083655.6186-1-pbonzini@redhat.com/
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2018:3443
When introducing of flatview_{read,write}, calls to address_space_to_flatview were placed outside RCU critical sections. This is wrong and has to be fixed; even though it is unlikely to happen with standard operating systems, malicious code could use it to trigger use-after-free and heap corruption. Patches posted upstream at: http://patchew.org/QEMU/20180305083655.6186-1-pbonzini@redhat.com/