Anthony Liguori

**Name of the Vulnerable Software and Affected Versions** QEMU versions prior to 1.7.2 **Description** A heap-based buffer overflow issue exists in the virtio load function, located in hw/virtio/virtio.c, which could potentially allow remote attackers to execute arbitrary code. This is achievable by providing a crafted config length in a savevm image. **Recommendations** For versions prior to 1.7.2, update to version 1.7.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** QEMU versions prior to 1.7.2 **Description** A buffer overflow issue exists, allowing remote attackers to cause a denial of service or possibly execute arbitrary code. This issue is related to vectors involving IRQDest elements in the hw/intc/openpic.c file. **Recommendations** For versions prior to 1.7.2, update to version 1.7.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** QEMU versions prior to 1.7.2 **Description** A buffer overflow issue exists in the scoop gpio handler update function. This could potentially allow remote attackers to execute arbitrary code by providing a large value for `prev level`, `gpio level`, or `gpio dir` in a savevm image. **Recommendations** For versions prior to 1.7.2, update to version 1.7.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** QEMU versions prior to 1.7.2 **Description** The issue is related to the `usb device post load` function in `hw/usb/bus.c`, which might allow remote attackers to execute arbitrary code via a crafted savevm image. This is due to a negative `setup len` or `setup index` value. **Recommendations** For versions prior to 1.7.2, update to version 1.7.2 or later to resolve the issue. As a temporary workaround, consider restricting access to savevm images to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** QEMU versions prior to 1.7.2 **Description** The issue is related to an array index error in the `virtio load` function, located in `hw/virtio/virtio.c`. This error allows remote attackers to execute arbitrary code via a crafted savevm image. **Recommendations** For versions prior to 1.7.2, update to version 1.7.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** QEMU versions prior to 1.7.2 **Description** The issue is related to a buffer overflow in the hw/ide/ahci.c file. This can be exploited by remote attackers to cause a denial of service and potentially execute arbitrary code, specifically through vectors related to migrating ports. **Recommendations** For versions prior to 1.7.2, update to version 1.7.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** QEMU versions prior to 1.7.2 **Description** The issue is related to a buffer overflow in the hw/timer/hpet.c file. This might allow remote attackers to execute arbitrary code via vectors related to the number of timers. **Recommendations** For versions prior to 1.7.2, update to version 1.7.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** QEMU versions prior to 1.7.2 **Description** The issue is related to a buffer overflow in the hw/pci/pcie aer.c file. This can be exploited by remote attackers to cause a denial of service and potentially execute arbitrary code. The exploitation is possible via a large log num value in a savevm image. **Recommendations** For versions prior to 1.7.2, update to version 1.7.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** QEMU versions prior to 1.7.2 **Description** The issue is related to a buffer overflow in the hw/ssi/pl022.c file, which can be triggered by remote attackers sending crafted `tx fifo head` and `rx fifo head` values in a savevm image. This can cause a denial of service or potentially allow the execution of arbitrary code. **Recommendations** For versions prior to 1.7.2, update to version 1.7.2 or later to resolve the issue. As a temporary workaround, consider restricting access to savevm images to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** QEMU versions prior to 1.7.2 **Description** A buffer overflow issue exists, allowing remote attackers to cause a denial of service and possibly execute arbitrary code via a negative value in `cpreg vmstate array len` in a savevm image. **Recommendations** For versions prior to 1.7.2, update to version 1.7.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** QEMU versions prior to 1.7.2 **Description** A buffer overflow issue exists in the pxa2xx ssp load function, located in hw/arm/pxa2xx.c, which can be triggered by a crafted s->rx level value in a savevm image. This can lead to a denial of service or potentially allow remote attackers to execute arbitrary code. **Recommendations** For versions prior to 1.7.2, update to version 1.7.2 or later to resolve the issue. As a temporary workaround, consider restricting access to savevm images to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** QEMU versions prior to 1.7.2 **Description** The issue allows remote attackers to execute arbitrary files via a crafted savevm image, related to virtio-block or virtio-serial read. **Recommendations** For versions prior to 1.7.2, update to version 1.7.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** QEMU versions prior to 1.7.2 **Description** The issue allows remote attackers to execute arbitrary code via a crafted `arglen` value in a savevm image. This is related to the `ssi sd transfer` function in `hw/sd/ssi-sd.c`. **Recommendations** For versions prior to 1.7.2, update to version 1.7.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** QEMU versions prior to 1.7.2 **Description** The issue is related to multiple buffer overflows in the `ssd0323 load` function, which can be triggered by crafted values in a savevm image, including `cmd len`, `row`, `col`, `row start`, `row end`, `col start`, and `col end`. This can cause a denial of service due to memory corruption or possibly allow the execution of arbitrary code. **Recommendations** For QEMU versions prior to 1.7.2, update to version 1.7.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** QEMU versions prior to 1.7.2 **Description** The issue is related to multiple buffer overflows in the `tsc210x load` function, which might allow remote attackers to execute arbitrary code. This can be achieved by crafting specific values in a savevm image, including `precision`, `nextprecision`, `function`, or `nextfunction`. **Recommendations** For versions prior to 1.7.2, update to version 1.7.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** QEMU versions 1.5.0 through 1.7.x before 1.7.2 **Description** The issue allows remote attackers to cause a denial of service or possibly execute arbitrary code. This is achieved through vectors where the value of `curr queues` is greater than `max queues`, triggering an out-of-bounds write. **Recommendations** For QEMU versions 1.5.0 through 1.7.x before 1.7.2, update to version 1.7.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** QEMU versions prior to 1.7.2 **Description** The issue is caused by an integer signedness error in the virtio net load function, which can be exploited by remote attackers to execute arbitrary code via a crafted savevm image. This triggers a buffer overflow. **Recommendations** For versions prior to 1.7.2, update to version 1.7.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** QEMU (affected versions not specified) **Description** The issue is related to the savevm functionality of the QEMU hardware emulator, which can be exploited to alter savevm data. This could allow an attacker to access confidential data, compromise its integrity, and cause a denial of service. An attacker able to modify the savevm data could potentially corrupt the QEMU process memory on the host, leading to arbitrary code execution with the privileges of the QEMU process. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.