A flaw was found in the way qemu validates addresses when guest accesses the config space of a virtio device. If the virtio device has zero/small sized config space, such as virtio-rng, a privileged guest user could use this flaw to access the matching host's qemu address space and thus increase their privileges on the host.
Proposed upstream patch:
This issue was found by Jason Wang of Red Hat.
This issue does not affect the versions of kvm package as shipped with Red Hat Enterprise Linux 5 and qemu-kvm package as shipped with Red Hat Enterprise Linux 6.
Created qemu tracking bugs for this issue
Affects: fedora-all [bug 957161]