Vigil@nce - Qemu: memory corruption via IDE SMART
May 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker, located in a guest system, can generate a memory
corruption via IDE SMART of Qemu, in order to trigger a denial of
service on the host, and possibly to execute code.
Impacted products: Ubuntu, Unix (platform)
Severity: 2/4
Creation date: 16/04/2014
DESCRIPTION OF THE VULNERABILITY
The hw/ide/core.c file of Qemu implements the support of IDE hard
drives.
The cmd_smart() function manages the IDE SMART command. However,
in "extended self test" mode, it writes 4 bytes before the
beginning of an array.
An attacker, located in a guest system, can therefore generate a
memory corruption via IDE SMART of Qemu, in order to trigger a
denial of service on the host, and possibly to execute code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Qemu-memory-corruption-via-IDE-SMART-14605