Vigil@nce: QEMU-KVM, buffer overflow of virtqueue_pop
July 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker in a guest system can use virtqueue_pop(), in
order to create a buffer overflow in the host, which stops it, or
leads to code execution.
– Severity: 2/4
– Creation date: 06/07/2011
IMPACTED PRODUCTS
– OpenSUSE
– Red Hat Enterprise Linux
– SUSE Linux Enterprise Desktop
– SUSE Linux Enterprise Server
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The QEMU-KVM product uses the KVM kernel module, in order to
manage guest systems.
A host system usually emulates standard devices, for which guest
systems have a driver. The VIRTIO (Virtual Input-Output) interface
has less features than a hardware device, and its usage is thus
faster, with a VIRTIO driver installed in guest systems.
VIRTIO uses queues for data exchange. However, the virtqueue_pop()
function of the hw/virtio.c file does not check if the number of
read/write descriptors is larger than the storage array.
A local attacker in a guest system can therefore use
virtqueue_pop(), in order to create a buffer overflow in the host,
which stops it, or leads to code execution.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/QEMU-KVM-buffer-overflow-of-virtqueue-pop-10814