Red Hat Bugzilla – Bug 1012633
CVE-2013-4377 qemu: hot-unplugging virtio devices in guest can crash host qemu process
Last modified: 2015-10-15 14:01:36 EDT
A dangling pointer access flaw was found in the way qemu handled hot-unplugging virtio devices. This flaw was introduced by virtio refactoring and exists in the virtio-pci implementation. When the virtio-blk-pci device is deleted, the virtio-blk-device is removed first (removal is done in post-order). Later, the virtio-blk-device is accessed again, but proxy->vdev->vq is no longer valid (a dangling pointer) and kvm_set_ioeventfd_pio fails.
A privileged guest user could use this flaw to crash the qemu process on the host system, causing a denial of service to it and any other running virtual machines.
Patches are available at http://thread.gmane.org/gmane.comp.emulators.qemu/234440
This issue was discovered by Sibiao Luo of Red Hat.
Created qemu tracking bugs for this issue:
Affects: fedora-all [bug 1012641]
This flaw was introduced in qemu version 1.4.0.
This was assigned CVE-2013-4377:
Not vulnerable. This issue did not affect the version of qemu-kvm as shipped in Red Hat Enterprise Linux 5 and 6.
qemu-1.6.0-10.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.