Bug 699773 (CVE-2011-1751) - CVE-2011-1751 qemu: acpi_piix4: missing hotplug check during device removal
Summary: CVE-2011-1751 qemu: acpi_piix4: missing hotplug check during device removal
Alias: CVE-2011-1751
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 699788 699789 699790 699791 699840
TreeView+ depends on / blocked
Reported: 2011-04-26 15:26 UTC by Petr Matousek
Modified: 2023-05-11 17:39 UTC (History)
16 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2013-03-26 19:22:09 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:0534 0 normal SHIPPED_LIVE Important: qemu-kvm security, bug fix, and enhancement update 2011-05-19 11:20:36 UTC

Description Petr Matousek 2011-04-26 15:26:50 UTC
Writing the value 2 to I/O port 0xae08 ("PCI_EJ_BASE") initiates the PIIX3 PCI-ISA bridge removal. Unplugging this causes all of the ISA devices to be unplugged and right now the ISA (in particularly the RTC) devices cannot handle unplug gracefuly.

During MC146818 removal RTCState structure backing the emulated RTC is freed but embedded timers are not unlinked from active_timers list. Next time the timer fires SIGSEGV occurs. RTCState embedds several QEMUTimer structures that define function pointers (callbacks) that get called when timer expires.

Since the memory is freed, however, it is possible, under some circumstances, for the guest to cause a controlled allocation into the freed space, which can ultimately be exploited for code execution in the context of the qemu or qemu-kvm process.

ASLR partially mitigates this issue.


Red Hat would like to thank Nelson Elhage for reporting this issue.

Comment 8 Petr Matousek 2011-04-27 19:11:38 UTC
Tested the reproducer on RHEL5 with qemu-kvm under gdb. The code base is completely different, qdev isn't there - ISA devices (RTC) are not connected to piix3 as in RHEL6. The VM stops responding but no sings of use-after free are present.

Comment 9 Petr Matousek 2011-05-02 09:43:59 UTC

This issue only affects Red Hat Enterprise Linux 6. The version of the qemu/kvm as shipped with Red Hat Enterprise Linux 5 is not affected.

Comment 12 errata-xmlrpc 2011-05-19 13:02:44 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0534 https://rhn.redhat.com/errata/RHSA-2011-0534.html

Comment 14 Mark J. Cox 2011-08-26 14:21:56 UTC

Note You need to log in before you can comment on or make changes to this bug.