Bug 964636 - VUL-0: CVE-2013-4151: xen: virtio: out-of-bounds buffer write on invalid state load
VUL-0: CVE-2013-4151: xen: virtio: out-of-bounds buffer write on invalid stat...
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2016-02-02 09:23 UTC by Johannes Segitz
Modified: 2016-02-03 12:17 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2016-02-02 09:23:39 UTC
+++ This bug was initially created as a clone of Bug #864653 +++


Michael S. Tsirkin writes:

QEMU 1.0 out-of-bounds buffer write in virtio_load@virtio/virtio.c

So we have this code since way back when:

    num = qemu_get_be32(f);

    for (i = 0; i < num; i++) {
        vdev->vq[i].vring.num = qemu_get_be32(f);

array of vqs has size VIRTIO_PCI_QUEUE_MAX, so
on invalid input this will write beyond end of buffer.

An user able to alter the savevm data (either on the disk or over the wire
during migration) could use this flaw to to corrupt QEMU process memory on
the (destination) host, which could potentially result in arbitrary code
execution on the host with the privileges of the QEMU process.

Comment 2 Swamp Workflow Management 2016-02-02 23:00:34 UTC
bugbot adjusting priority
Comment 3 Charles Arnold 2016-02-02 23:05:37 UTC
Virtio devices are not supported in Xen so this bug is invalid.
There is no way to define virtio net or block devices for use with Xen.
Comment 4 Johannes Segitz 2016-02-03 12:17:35 UTC
not relevant for our XEN package