There's a bug in the VNC code that overruns the heap whenever the horizontal resolution isn't a multiple of 16. Here's how to trigger it: Step 1: build a linux kernel with CONFIG_FB_VESA=y. The one you're running right now probably works. Step 2: <qemu-kvm binary> -vga std -kernel bzImage -append 'vga=898' -vnc localhost:2 Step 3: Connect and disconnect VNC a few times. This can also be triggered on Windows, etc. I can't trigger it on upstream qemu because 1400x1050 isn't listed, cirrusfb is too broken to force that mode, and vmwgfx seems to be even more broken right now. (I'm way too lazy to make an image containing X just for this.) This bug is present in F13 and in Avi's tree from a week or so ago. I can't test the latest -git because that one segfaults instantly no matter what I do. I'll leave the actual exploit as an exercise to the reader. I'm emailing here because the bug is easiest to trigger in qemu-kvm and because both Red Hat / Fedora and upstream qemu have been ignoring a security bug for over two weeks. See: https://bugs.launchpad.net/qemu/+bug/575887 (Upstream bug) https://bugzilla.redhat.com/show_bug.cgi?id=583850 (Fedora bug) --Andy -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
