Your submission was sent successfully! Close

CVE-2015-2756

Published: 1 April 2015

QEMU, as used in Xen 3.3.x through 4.5.x, does not properly restrict access to PCI command registers, which might allow local HVM guest users to cause a denial of service (non-maskable interrupt and host crash) by disabling the (1) memory or (2) I/O decoding for a PCI Express device and then accessing the device, which triggers an Unsupported Request (UR) response.

Notes

AuthorNote
smb
This is a qemu change which is part of the xen package for the
"traditional" qemu. Trusty and newer only provide qemu traditional as
a backup but by default use the generic qemu from the archive and
Vivid completely drops qemu traditional. So the non-qemut patches in
that XSA need to go into qemu.
Priority

Low

Status

Package Release Status
qemu
Launchpad, Ubuntu, Debian
lucid Does not exist

precise Does not exist

trusty
Released (2.0.0+dfsg-2ubuntu1.11)
upstream Needs triage

utopic
Released (2.1+dfsg-4ubuntu6.6)
vivid
Released (1:2.2+dfsg-5expubuntu9)
Patches:
upstream: http://git.qemu.org/?p=qemu.git;a=commit;h=81b23ef82cd1be29ca3d69ab7e98b5b5e55926ce
qemu-kvm
Launchpad, Ubuntu, Debian
lucid Ignored
(reached end-of-life)
precise Not vulnerable
(code not present)
trusty Does not exist

upstream Needs triage

utopic Does not exist

vivid Does not exist

xen
Launchpad, Ubuntu, Debian
lucid Does not exist

precise
Released (4.1.6.1-0ubuntu0.12.04.6)
trusty Does not exist
(trusty was released [4.4.1-0ubuntu0.14.04.5])
upstream Needs triage

utopic
Released (4.4.1-0ubuntu0.14.10.5)
vivid Not vulnerable

Binaries built from this source package are in Universe and so are supported by the community.
xen-3.3
Launchpad, Ubuntu, Debian
lucid Ignored
(reached end-of-life)
precise Does not exist

trusty Does not exist

upstream Ignored
(reached end-of-life)
utopic Does not exist

vivid Does not exist

Binaries built from this source package are in Universe and so are supported by the community.