CVE-2013-4535: 
QEMU vulnerability analysis and mitigation

The CVE-2013-4535 vulnerability affects the virtqueue_map_sg function in hw/virtio/virtio.c in QEMU versions before 1.7.2. This vulnerability was discovered as part of a state loading code audit performed by Michael S. Tsirkin of Red Hat, Anthony Liguori, and Michael Roth (QEMU Stable).

The vulnerability exists in the virtqueue_map_sg function where VirtQueueElements are read as buffers. The issue occurs when num_sg is taken from the wire without proper validation, which can force writes to indices beyond VIRTQUEUE_MAX_SIZE. The vulnerability has a CVSS 3.1 Base Score of 8.8 (High) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H (NVD).

An attacker who can alter the savevm data, either on disk or during migration over the wire, could exploit this vulnerability to corrupt QEMU process memory on the destination host. This corruption could potentially lead to arbitrary code execution with the privileges of the QEMU process (Red Hat Bugzilla).

The vulnerability was fixed in QEMU version 1.7.2. Users are advised to upgrade to this version or apply the appropriate security patches. For systems using Red Hat Enterprise Linux, multiple security advisories (RHSA-2014:0743, RHSA-2014:0744) were released with backported patches. After applying the updates, all running virtual machines must be shut down and restarted for the fix to take effect (Red Hat Advisory).