The following flaw was reported in spice: It is possible for a guest issuing QXL commands to host to allow reading and writing host memory in a range of about 16-20gb. The guest can create a surface very large (say 1000000 x 1000000). If width * height overflow the 32 bit and became a small number the host will accept the command and will create the surface. Now guest can copy areas of surfaces to access any area of memory covered by the image. Considering overflows, pixman implementation and image formats (32 bit, top-down or down-top) the range (the guest pass an offset into video memory for the start) the range if about +/- 8gb.
Acknowledgements: This issue was discovered by Frediano Ziglio of Red Hat.
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2015:1889 https://rhn.redhat.com/errata/RHSA-2015-1889.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:1890 https://rhn.redhat.com/errata/RHSA-2015-1890.html