qemu (e1000 device driver): Buffer overflow when processing large packets

SUMMARY AND SOURCES OF INFORMATION

An issue in qemu has been disclosed which we believe affects some users of Xen.
The Qemu project has not itself issued an advisory. More information may be available in the advisories published by the distros:
<a href=“https://bugzilla.redhat.com/show_bug.cgi?id=889301”>https://bugzilla.redhat.com/show_bug.cgi?id=889301</a> <a href=“http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696051”>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696051</a>

CAVEAT

For full and accurate information please refer to those advisories. We have not conducted a full review of the information and patches provided.
The rest of the information in this advisory is true to the best of our knowledge at the time of writing.

IMPACT

The vulnerability impacts any host running HVM (Fully-Emulated) guests which are configured with an e1000 NIC (using “model=e1000”) in their VIF configuration. Note that the default emulated NIC is “rtl8139” which is not vulnerable.
In a vulnerable configuration a hostile network packet may be able to corrupt the memory of the guest, leading to a guest DoS or remote privilege escalation.
We do not believe that this issue enables an attack against the host.