A bug in QEMU could cause a guest I/O operation otherwise addressed to an arbitrary disk offset to be targeted to offset 0 instead (potentially overwriting the VM’s boot code). This could be used, for example, by L2 guests with a virtual disk (vdiskL2) stored on a virtual disk of an L1 (vdiskL1) hypervisor to read and/or write data to LBA 0 of vdiskL1, potentially gaining control of L1 at its next reboot.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 12 | all | qemu | <Â 1:7.2+dfsg-7+deb12u3 | qemu_1:7.2+dfsg-7+deb12u3_all.deb |
Debian | 11 | all | qemu | <=Â 1:5.2+dfsg-11+deb11u3 | qemu_1:5.2+dfsg-11+deb11u3_all.deb |
Debian | 10 | all | qemu | <Â 1:3.1+dfsg-8+deb10u12 | qemu_1:3.1+dfsg-8+deb10u12_all.deb |
Debian | 999 | all | qemu | <Â 1:8.1.1+ds-2 | qemu_1:8.1.1+ds-2_all.deb |
Debian | 13 | all | qemu | <Â 1:8.1.1+ds-2 | qemu_1:8.1.1+ds-2_all.deb |