|Summary:||CVE-2011-1751 qemu: acpi_piix4: missing hotplug check during device removal|
|Product:||[Other] Security Response||Reporter:||Petr Matousek <pmatouse>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED ERRATA||QA Contact:|
|Version:||unspecified||CC:||apevec, bressers, chrisw, ehabkost, jrusnack, knoel, kraxel, lcapitulino, mjc, mkenneth, nelhage, rcvalle, security-response-team, tburke, virt-maint, ykaul|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2013-03-26 19:22:09 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:||699788, 699789, 699790, 699791, 699840|
Description Petr Matousek 2011-04-26 15:26:50 UTC
Writing the value 2 to I/O port 0xae08 ("PCI_EJ_BASE") initiates the PIIX3 PCI-ISA bridge removal. Unplugging this causes all of the ISA devices to be unplugged and right now the ISA (in particularly the RTC) devices cannot handle unplug gracefuly. During MC146818 removal RTCState structure backing the emulated RTC is freed but embedded timers are not unlinked from active_timers list. Next time the timer fires SIGSEGV occurs. RTCState embedds several QEMUTimer structures that define function pointers (callbacks) that get called when timer expires. Since the memory is freed, however, it is possible, under some circumstances, for the guest to cause a controlled allocation into the freed space, which can ultimately be exploited for code execution in the context of the qemu or qemu-kvm process. ASLR partially mitigates this issue. Acknowledgements: Red Hat would like to thank Nelson Elhage for reporting this issue.
Comment 8 Petr Matousek 2011-04-27 19:11:38 UTC
Tested the reproducer on RHEL5 with qemu-kvm under gdb. The code base is completely different, qdev isn't there - ISA devices (RTC) are not connected to piix3 as in RHEL6. The VM stops responding but no sings of use-after free are present.
Comment 9 Petr Matousek 2011-05-02 09:43:59 UTC
Statement: This issue only affects Red Hat Enterprise Linux 6. The version of the qemu/kvm as shipped with Red Hat Enterprise Linux 5 is not affected.
Comment 10 Petr Matousek 2011-05-19 10:34:28 UTC
Comment 12 errata-xmlrpc 2011-05-19 13:02:44 UTC
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:0534 https://rhn.redhat.com/errata/RHSA-2011-0534.html
Comment 13 Mark J. Cox 2011-08-19 08:21:21 UTC