qemu host crash from within guest

2013.09.27
Credit: Vincent Danen
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2013-4377
CWE: CWE-399


CVSS Base Score: 2.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 4.4/10
Exploit range: Adjacent network
Attack complexity: Medium
Authentication: Single time
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

A dangling pointer access flaw was found in the way qemu handled hot-unplugging virtio devices. This flaw was introduced by virtio refactoring and exists in the virtio-pci implementation. When the virtio-blk-pci device is deleted, the virtio-blk-device is removed first (removal is done in post-order). Later, the virtio-blk-device is accessed again, but proxy->vdev->vq is no longer valid (a dangling pointer) and kvm_set_ioeventfd_pio fails. A privileged guest user could use this flaw to crash the qemu process on the host system, causing a denial of service to it and any other running virtual machines. References: https://bugzilla.redhat.com/show_bug.cgi?id=1012633 http://thread.gmane.org/gmane.comp.emulators.qemu/234440 This series fixes hot-unplug of virtio devices, which can crash due to dangling pointer accesses. The current implementation supports guest-initiated hot-unplug via the virtio_bus_destroy_device function, but not hot-unplugging the virtio device by virtue of unplugging its parent container device. The problem is that the callback for the bus implementation to cleanup is placed in the wrong place; it is in virtio_bus_destroy_device, which should be called by the bus, instead of being somewhere in device code. We need to have the callback in device code (for example in dc->exit), so that we invoke it on every unplug action, no matter who starts it. Thus, the series cleans up plugging and unplugging of virtio devices so that it does not need any help from the bus (patches 1-4). It then stops the virtio devices' overriding of dc->exit, moving their cleanup code to the new exit callback in VirtioDeviceClass (patches 5-10). Finally, patch 11 can make virtio-pci implement the device_unplugged callback. Something similar is probably needed in virtio-ccw too. However, virtio-ccw needs more surgery because it does not include a device_plugged callback either, so I did not touch it. Paolo Bonzini (11): virtio-bus: remove vdev field virtio-pci: remove vdev field virtio-ccw: remove vdev field virtio-bus: cleanup plug/unplug interface virtio-blk: switch exit callback to VirtioDeviceClass virtio-serial: switch exit callback to VirtioDeviceClass virtio-net: switch exit callback to VirtioDeviceClass virtio-scsi: switch exit callback to VirtioDeviceClass virtio-balloon: switch exit callback to VirtioDeviceClass virtio-rng: switch exit callback to VirtioDeviceClass virtio-pci: add device_unplugged callback hw/block/virtio-blk.c | 10 ++-- hw/char/virtio-serial-bus.c | 10 ++-- hw/net/virtio-net.c | 11 ++-- hw/s390x/virtio-ccw.c | 80 +++++++++++++++------------ hw/s390x/virtio-ccw.h | 1 - hw/scsi/vhost-scsi.c | 11 ++-- hw/scsi/virtio-scsi.c | 15 +++-- hw/virtio/virtio-balloon.c | 10 ++-- hw/virtio/virtio-bus.c | 81 +++++++++++++++------------ hw/virtio/virtio-mmio.c | 9 +-- hw/virtio/virtio-pci.c | 119 ++++++++++++++++++++++++---------------- hw/virtio/virtio-pci.h | 1 - hw/virtio/virtio-rng.c | 10 ++-- hw/virtio/virtio.c | 7 ++- include/hw/virtio/virtio-bus.h | 22 +++++--- include/hw/virtio/virtio-scsi.h | 2 +- include/hw/virtio/virtio.h | 1 + 17 files changed, 223 insertions(+), 177 deletions(-) -- 1.8.3.1

References:

https://bugzilla.redhat.com/show_bug.cgi?id=1012633
http://thread.gmane.org/gmane.comp.emulators.qemu/234440


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top