CVE-2011-1751

Priority
Medium
Description
The pciej_write function in hw/acpi_piix4.c in the PIIX4 Power Management
emulation in qemu-kvm does not check if a device is hotpluggable before
unplugging the PCI-ISA bridge, which allows privileged guest users to cause
a denial of service (guest crash) and possibly execute arbitrary code by
sending a crafted value to the 0xae08 (PCI_EJ_BASE) I/O port, which leads
to a use-after-free related to "active qemu timers."
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1751
http://lists.nongnu.org/archive/html/qemu-devel/2011-05/msg01810.html
https://usn.ubuntu.com/usn/usn-1145-1
Bugs
https://bugzilla.redhat.com/show_bug.cgi?id=699773
Notes
 jdstrand> patch requires several other patches to be applied first
 jdstrand> adding apparmor tag since qemu-kvm is typically used with libvirt
  on Ubuntu, and is therefore confined by AppArmor
Assigned-to
jdstrand
Package
Source: qemu-kvm (LP Ubuntu Debian)
Upstream:needs-triage
Patches:
Patch:http://lists.nongnu.org/archive/html/qemu-devel/2011-05/msg01810.html
Vendor:http://www.debian.org/security/2011/dsa-2241
Vendor:https://rhn.redhat.com/errata/RHSA-2011-0534.html
More Information

Updated: 2017-12-15 20:29:19 UTC (commit 13913)