Your submission was sent successfully! Close

CVE-2011-1751

Published: 29 May 2011

The pciej_write function in hw/acpi_piix4.c in the PIIX4 Power Management emulation in qemu-kvm does not check if a device is hotpluggable before unplugging the PCI-ISA bridge, which allows privileged guest users to cause a denial of service (guest crash) and possibly execute arbitrary code by sending a crafted value to the 0xae08 (PCI_EJ_BASE) I/O port, which leads to a use-after-free related to "active qemu timers."

Priority

Medium

Status

Package Release Status
qemu-kvm
Launchpad, Ubuntu, Debian
Upstream Needs triage

Patches:
Other: http://lists.nongnu.org/archive/html/qemu-devel/2011-05/msg01810.html
Vendor: http://www.debian.org/security/2011/dsa-2241
Vendor: https://rhn.redhat.com/errata/RHSA-2011-0534.html
This vulnerability is mitigated in part by an AppArmor profile.

Notes

AuthorNote
jdstrand
patch requires several other patches to be applied first
adding apparmor tag since qemu-kvm is typically used with libvirt
on Ubuntu, and is therefore confined by AppArmor

References

Bugs