Bugzilla – Bug 964643
VUL-0: CVE-2013-6399: xen: virtio: buffer overrun on incoming migration
Last modified: 2016-02-03 11:46:09 UTC
+++ This bug was initially created as a clone of Bug #864814 +++ CVE-2013-6399 vdev->queue_sel is read from the wire, and later used in the emulation code as an index into vdev->vq[]. If the value of vdev->queue_sel exceeds the length of vdev->vq[], currently allocated to be VIRTIO_PCI_QUEUE_MAX elements, subsequent PIO operations such as VIRTIO_PCI_QUEUE_PFN can be used to overrun the buffer with arbitrary data. An user able to alter the savevm data (either on the disk or over the wire during migration) could use this flaw to to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6399 https://bugzilla.redhat.com/show_bug.cgi?id=1066361
bugbot adjusting priority
Virtio devices are not supported in Xen so this bug is invalid. There is no way to define virtio net or block devices for use with Xen.
not relevant for our XEN package