CVE-2011-1751
Published: 29 May 2011
The pciej_write function in hw/acpi_piix4.c in the PIIX4 Power Management emulation in qemu-kvm does not check if a device is hotpluggable before unplugging the PCI-ISA bridge, which allows privileged guest users to cause a denial of service (guest crash) and possibly execute arbitrary code by sending a crafted value to the 0xae08 (PCI_EJ_BASE) I/O port, which leads to a use-after-free related to "active qemu timers."
Notes
| Author | Note |
|---|---|
| jdstrand | patch requires several other patches to be applied first adding apparmor tag since qemu-kvm is typically used with libvirt on Ubuntu, and is therefore confined by AppArmor |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
qemu-kvm Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
| hardy |
Does not exist
|
|
| lucid |
Released
(0.12.3+noroms-0ubuntu9.9)
|
|
| maverick |
Released
(0.12.5+noroms-0ubuntu7.5)
|
|
| natty |
Released
(0.14.0+noroms-0ubuntu4.1)
|
|
| upstream |
Needs triage
|
|
|
Patches: other: http://lists.nongnu.org/archive/html/qemu-devel/2011-05/msg01810.html vendor: http://www.debian.org/security/2011/dsa-2241 vendor: https://rhn.redhat.com/errata/RHSA-2011-0534.html |
||
| This vulnerability is mitigated in part by an AppArmor profile. | ||