Vigil@nce - QEMU-KVM: memory corruption via virtio_queue_notify
July 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker in a guest system can use virtio_queue_notify(),
in order to corrupt the memory of the host, which stops it, or
leads to code execution.
Severity: 2/4
Creation date: 29/06/2011
IMPACTED PRODUCTS
– Debian Linux
– Red Hat Enterprise Linux
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The QEMU-KVM product uses the KVM kernel module, in order to
manage guest systems.
A host system usually emulates standard devices, for which guest
systems have a driver. The VIRTIO (Virtual Input-Output) interface
has less features than a hardware device, and its usage is thus
faster, with a VIRTIO driver installed in guest systems.
VIRTIO uses queues for data exchange. The virtio_queue_notify()
function of the hw/virtio.c file notifies that data is available
in a queue. However, this function does not check if the queue
index is negative. The system can thus write outside the queue
array.
A local attacker in a guest system can therefore use
virtio_queue_notify(), in order to corrupt the memory of the host,
which stops it, or leads to code execution.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/QEMU-KVM-memory-corruption-via-virtio-queue-notify-10790