Writing the value 2 to I/O port 0xae08 ("PCI_EJ_BASE") initiates the PIIX3 PCI-ISA bridge removal. Unplugging this causes all of the ISA devices to be unplugged and right now the ISA (in particularly the RTC) devices cannot handle unplug gracefuly. During MC146818 removal RTCState structure backing the emulated RTC is freed but embedded timers are not unlinked from active_timers list. Next time the timer fires SIGSEGV occurs. RTCState embedds several QEMUTimer structures that define function pointers (callbacks) that get called when timer expires. Since the memory is freed, however, it is possible, under some circumstances, for the guest to cause a controlled allocation into the freed space, which can ultimately be exploited for code execution in the context of the qemu or qemu-kvm process. ASLR partially mitigates this issue. Acknowledgements: Red Hat would like to thank Nelson Elhage for reporting this issue.
Tested the reproducer on RHEL5 with qemu-kvm under gdb. The code base is completely different, qdev isn't there - ISA devices (RTC) are not connected to piix3 as in RHEL6. The VM stops responding but no sings of use-after free are present.
Statement: This issue only affects Red Hat Enterprise Linux 6. The version of the qemu/kvm as shipped with Red Hat Enterprise Linux 5 is not affected.
Upstream patch: http://lists.nongnu.org/archive/html/qemu-devel/2011-05/msg01810.html http://patchwork.ozlabs.org/patch/96331/
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:0534 https://rhn.redhat.com/errata/RHSA-2011-0534.html
http://blog.nelhage.com/2011/08/breaking-out-of-kvm/
http://danwalsh.livejournal.com/45194.html