Description

The pit_ioport_read in i8254.c in the Linux kernel before 2.6.33 and QEMU before 2.3.1 does not distinguish between read lengths and write lengths, which might allow guest OS users to execute arbitrary code on the host OS by triggering use of an invalid index.

References

http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ee73f656a604d5aa9df86a97102e4e462dd79924

https://github.com/torvalds/linux/commit/ee73f656a604d5aa9df86a97102e4e462dd79924

https://bugzilla.redhat.com/show_bug.cgi?id=1229640

http://mirror.linux.org.au/linux/kernel/v2.6/ChangeLog-2.6.33

http://www.openwall.com/lists/oss-security/2015/06/25/7

https://security.gentoo.org/glsa/201510-02

http://www.securityfocus.com/bid/75273

https://www.mail-archive.com/[email protected]/msg304138.html

https://support.lenovo.com/product_security/qemu

http://www.securitytracker.com/id/1032598

https://support.lenovo.com/us/en/product_security/qemu

http://rhn.redhat.com/errata/RHSA-2015-1512.html

http://rhn.redhat.com/errata/RHSA-2015-1508.html

http://rhn.redhat.com/errata/RHSA-2015-1507.html

https://www.exploit-db.com/exploits/37990/

http://www.debian.org/security/2015/dsa-3348

https://www.arista.com/en/support/advisories-notices/security-advisories/1180-security-advisory-13

Details

Risk Information

CVSS v2