Vigil@nce - Qemu: memory corruption via cirrus
December 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker who is privileged in the guest system can generate a
memory corruption in the host system via cirrus of Qemu, in order
to trigger a denial of service, and possibly to execute code.
– Impacted products: Debian, MBS, Ubuntu, Unix (platform)
– Severity: 2/4
– Creation date: 04/12/2014
DESCRIPTION OF THE VULNERABILITY
The Qemu product uses by default the hw/display/cirrus_vga.c VGA
driver.
However, the blit_is_unsafe() function, does not check if the BIT
BLIT (picture in picture) operation uses a size which is too large.
An attacker who is privileged in the guest system can therefore
generate a memory corruption in the host system via cirrus of
Qemu, in order to trigger a denial of service, and possibly to
execute code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Qemu-memory-corruption-via-cirrus-15742