Vigil@nce - QEMU-KVM: privilege escalation via acpi_piix4
May 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
A local attacker located in a QEMU-KVM guest system can remove a
PCI non-hotpluggable device to create a denial of service, or to
execute code with kernel privileges.
Severity: 2/4
Creation date: 20/05/2011
Revision date: 23/05/2011
IMPACTED PRODUCTS
– Debian Linux
– OpenSUSE
– Red Hat Enterprise Linux
– SUSE Linux Enterprise Server
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
QEMU-KVM is the user-space component which permits to run virtual
machines using the KVM kernel module (Kernel-based Virtual
Machine).
The hw/acpi_piix4.c file of QEMU-KVM implements the support of the
Intel PIIX4 PCI controller, which manages power supply modes
(ACPI). The pciej_write() function is called during an ACPI
EJ(ect) event, in order to free the RTCState date structure used
by a PCI device.
However, if the device does not support the hotplug, function
pointers (located in the QEMUTimer sub-structure contained in the
RTCState structure) are dereferenced.
A local attacker located in a QEMU-KVM guest system can therefore
remove a PCI non-hotpluggable device to create a denial of
service, or to execute code with kernel privileges.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/QEMU-KVM-privilege-escalation-via-acpi-piix4-10673