The disas_insn function in target/i386/translate.c in QEMU before 2.9.0, when TCG mode without hardware acceleration is used, does not limit the instruction size, which allows local users to gain privileges by creating a modified basic block that injects code into a setuid program, as demonstrated by procmail.
Created qemu tracking bugs for this issue:
Affects: epel-7 [bug 1769671]
Note that the QEMU project currently declares that any TCG bugs are NOT considered security issues as TCG emulation implementation is not considered to be of a quality that will provide guest isolation from the host:
"The non-virtualization use case covers emulation using the Tiny Code Generator
(TCG). In principle the TCG and device emulation code used in conjunction with
the non-virtualization use case should meet the same security requirements as
the virtualization use case. However, for historical reasons much of the
non-virtualization use case code was not written with these security
requirements in mind.
Bugs affecting the non-virtualization use case are not considered security
bugs at this time. Users with non-virtualization use cases must not rely on
QEMU to provide guest isolation or any security guarantees."
Thanks for bringing that to Product Security's attention Daniel.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):