Bug 713589 (CVE-2011-2212)

Summary: CVE-2011-2212 qemu-kvm: virtqueue: too-large indirect descriptor buffer overflow
Product: [Other] Security Response Reporter: Petr Matousek <pmatouse>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: akong, apevec, chrisw, ehabkost, huding, juzhang, lcapitulino, michen, mkenneth, mst, mtosatti, nelhage, qiguo, qzhang, rcvalle, security-response-team, sluo, tburke, virt-maint, xfu
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: public=20110705,reported=20110615,source=researcher,impact=important,cvss2=7.4/AV:A/AC:M/Au:S/C:C/I:C/A:C,rhel-6/qemu-kvm=affected,rhel-5/kvm=notaffected,rhev-h/ovirt-node=notaffected,cwe=CWE-119
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-05-31 03:46:08 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 713592, 713593, 713594, 713595, 713597    
Bug Blocks:    

Description Petr Matousek 2011-06-15 16:45:48 EDT
It was found that virtio subsystem in qemu-kvm did not properly validate virtqueue in and out requests from the guest. A privileged guest user could use this flaw to cause buffer overflow, causing the guest to crash (denial of service) or, possibly, resulting in the privileged guest user escalating their privileges on the host.

Acknowledgements:                                                               

Red Hat would like to thank Nelson Elhage for reporting this issue.
Comment 11 Petr Matousek 2011-06-20 08:58:22 EDT
Statement:

This issue only affects Red Hat Enterprise Linux 6. The version of the qemu/kvm
as shipped with Red Hat Enterprise Linux 5 is not affected because it does not provide support for indirect descriptors.
Comment 12 errata-xmlrpc 2011-07-05 14:08:00 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0919 https://rhn.redhat.com/errata/RHSA-2011-0919.html