Bugzilla – Bug 964636
VUL-0: CVE-2013-4151: xen: virtio: out-of-bounds buffer write on invalid state load
Last modified: 2016-02-03 12:17:35 UTC
+++ This bug was initially created as a clone of Bug #864653 +++ CVE-2013-4151 Michael S. Tsirkin writes: QEMU 1.0 out-of-bounds buffer write in virtio_load@virtio/virtio.c So we have this code since way back when: num = qemu_get_be32(f); for (i = 0; i < num; i++) { vdev->vq[i].vring.num = qemu_get_be32(f); array of vqs has size VIRTIO_PCI_QUEUE_MAX, so on invalid input this will write beyond end of buffer. An user able to alter the savevm data (either on the disk or over the wire during migration) could use this flaw to to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4151 https://bugzilla.redhat.com/show_bug.cgi?id=1066342
bugbot adjusting priority
Virtio devices are not supported in Xen so this bug is invalid. There is no way to define virtio net or block devices for use with Xen.
not relevant for our XEN package