Bug 699773 (CVE-2011-1751)

Summary: CVE-2011-1751 qemu: acpi_piix4: missing hotplug check during device removal
Product: [Other] Security Response Reporter: Petr Matousek <pmatouse>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: apevec, bressers, chrisw, ehabkost, jrusnack, knoel, kraxel, lcapitulino, mjc, mkenneth, nelhage, rcvalle, security-response-team, tburke, virt-maint, ykaul
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: public=20110518,reported=20110425,source=researcher,impact=important,cvss2=7.4/AV:A/AC:M/Au:S/C:C/I:C/A:C,rhel-6.0.z/qemu-kvm=affected,rhel-6.1/qemu-kvm=affected,cwe=CWE-672->CWE-119,mitigate=selinux
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-03-26 15:22:09 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 699788, 699789, 699790, 699791, 699840    
Bug Blocks:    

Description Petr Matousek 2011-04-26 11:26:50 EDT
Writing the value 2 to I/O port 0xae08 ("PCI_EJ_BASE") initiates the PIIX3 PCI-ISA bridge removal. Unplugging this causes all of the ISA devices to be unplugged and right now the ISA (in particularly the RTC) devices cannot handle unplug gracefuly.

During MC146818 removal RTCState structure backing the emulated RTC is freed but embedded timers are not unlinked from active_timers list. Next time the timer fires SIGSEGV occurs. RTCState embedds several QEMUTimer structures that define function pointers (callbacks) that get called when timer expires.

Since the memory is freed, however, it is possible, under some circumstances, for the guest to cause a controlled allocation into the freed space, which can ultimately be exploited for code execution in the context of the qemu or qemu-kvm process.

ASLR partially mitigates this issue.

Acknowledgements:                                                               

Red Hat would like to thank Nelson Elhage for reporting this issue.
Comment 8 Petr Matousek 2011-04-27 15:11:38 EDT
Tested the reproducer on RHEL5 with qemu-kvm under gdb. The code base is completely different, qdev isn't there - ISA devices (RTC) are not connected to piix3 as in RHEL6. The VM stops responding but no sings of use-after free are present.
Comment 9 Petr Matousek 2011-05-02 05:43:59 EDT
Statement:

This issue only affects Red Hat Enterprise Linux 6. The version of the qemu/kvm as shipped with Red Hat Enterprise Linux 5 is not affected.
Comment 12 errata-xmlrpc 2011-05-19 09:02:44 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0534 https://rhn.redhat.com/errata/RHSA-2011-0534.html
Comment 13 Mark J. Cox (Product Security) 2011-08-19 04:21:21 EDT
http://blog.nelhage.com/2011/08/breaking-out-of-kvm/
Comment 14 Mark J. Cox (Product Security) 2011-08-26 10:21:56 EDT
http://danwalsh.livejournal.com/45194.html