CVE-2015-5166
http://xenbits.xen.org/xsa/advisory-139.html
Use after free in QEMU/Xen block unplug protocol
Use-after-free vulnerability in QEMU in Xen 4.5.x and earlier does not completely unplug emulated block devices, which allows local HVM guest users to gain privileges by unplugging a block device twice.
When unplugging an emulated block device the device was not fully unplugged, meaning a second unplug attempt would attempt to unplug the device a second time using a previously freed pointer.
Use-after-free
http://xenbits.xen.org/xsa/xsa139-qemuu-4.5.patch
pci_piix3_xen_ide_unplug should completely unhook the unplugged IDEDevice from the corresponding BlockBackend, otherwise the next call to release_drive will try to detach the drive again.
--- a/hw/ide/piix.c
+++ b/hw/ide/piix.c
@@ -172,6 +172,7 @@ int pci_piix3_xen_ide_unplug(DeviceState *dev)
PCIIDEState *pci_ide;
DriveInfo *di;
int i = 0;
+ IDEDevice *idedev;
pci_ide = PCI_IDE(dev);
@@ -184,6 +185,12 @@ int pci_piix3_xen_ide_unplug(DeviceState *dev)
}
bdrv_close(di->bdrv);
pci_ide->bus[di->bus].ifs[di->unit].bs = NULL;
+ if (!(i % 2)) {
+ idedev = pci_ide->bus[di->bus].master;
+ } else {
+ idedev = pci_ide->bus[di->bus].slave;
+ }
+ idedev->conf.bs = NULL;
drive_put_ref(di);
}
}An HVM guest which has access to an emulated IDE disk device may be able to exploit this vulnerability in order to take over the qemu process elevating its privilege to that of the qemu process.
privilege escalation