The virtio_queue_notify in qemu-kvm 0.14.0 and earlier does not properly validate the virtqueue number, which allows guest users to cause a denial of service (guest crash) and possibly execute arbitrary code via a negative number in the Queue Notify field of the Virtio Header, which bypasses a signed comparison.
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
| Link | Tags |
|---|---|
| http://rhn.redhat.com/errata/RHSA-2011-0919.html | vendor advisory |
| http://secunia.com/advisories/45170 | third party advisory vendor advisory |
| http://www.openwall.com/lists/oss-security/2011/06/28/13 | mailing list patch |
| http://secunia.com/advisories/44648 | third party advisory vendor advisory |
| http://www.openwall.com/lists/oss-security/2011/06/29/15 | mailing list patch |
| http://secunia.com/advisories/45301 | third party advisory vendor advisory |
| http://secunia.com/advisories/45158 | third party advisory vendor advisory |
| http://lists.opensuse.org/opensuse-security-announce/2011-07/msg00007.html | vendor advisory |
| http://www.osvdb.org/74751 | vdb entry |
| http://secunia.com/advisories/44458 | third party advisory vendor advisory |
| http://ubuntu.com/usn/usn-1165-1 | vendor advisory |
| https://www.debian.org/security/2011/dsa-2270 | vendor advisory |
| https://hermes.opensuse.org/messages/9605323 | vendor advisory |
| http://git.kernel.org/?p=virt/kvm/qemu-kvm.git%3Ba=commitdiff%3Bh=7157e2e23e89adcd436caeab31fdd6b47eded377 |