XSA-139

CVE-2015-5166


问题描述

http://xenbits.xen.org/xsa/advisory-139.html

Use after free in QEMU/Xen block unplug protocol

Use-after-free vulnerability in QEMU in Xen 4.5.x and earlier does not completely unplug emulated block devices, which allows local HVM guest users to gain privileges by unplugging a block device twice.

When unplugging an emulated block device the device was not fully unplugged, meaning a second unplug attempt would attempt to unplug the device a second time using a previously freed pointer.

Use-after-free


Patch描述

http://xenbits.xen.org/xsa/xsa139-qemuu-4.5.patch

pci_piix3_xen_ide_unplug should completely unhook the unplugged IDEDevice from the corresponding BlockBackend, otherwise the next call to release_drive will try to detach the drive again.

--- a/hw/ide/piix.c
+++ b/hw/ide/piix.c
@@ -172,6 +172,7 @@ int pci_piix3_xen_ide_unplug(DeviceState *dev)
     PCIIDEState *pci_ide;
     DriveInfo *di;
     int i = 0;
+    IDEDevice *idedev;
 
     pci_ide = PCI_IDE(dev);
 
@@ -184,6 +185,12 @@ int pci_piix3_xen_ide_unplug(DeviceState *dev)
             }
             bdrv_close(di->bdrv);
             pci_ide->bus[di->bus].ifs[di->unit].bs = NULL;
+            if (!(i % 2)) {
+                idedev = pci_ide->bus[di->bus].master;
+            } else {
+                idedev = pci_ide->bus[di->bus].slave;
+            }
+            idedev->conf.bs = NULL;
             drive_put_ref(di);
         }
     }

Consequence

An HVM guest which has access to an emulated IDE disk device may be able to exploit this vulnerability in order to take over the qemu process elevating its privilege to that of the qemu process.

privilege escalation