oss-sec mailing list archives
Re: Qemu: ide: ahci use-after-free vulnerability in aio port commands
From: cve-assign () mitre org
Date: Sat, 9 Jan 2016 08:57:03 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Qemu emulator built with the IDE AHCI Emulation support is vulnerable to a use after free(kind of) issue. It could occur after processing AHCI Native Command Queuing(NCQ) AIO commands. A privileged user inside guest could use this flaw to crash the Qemu process instance or might potentially execute arbitrary code with privileges of the Qemu process on the host. https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg01184.html https://bugzilla.redhat.com/show_bug.cgi?id=1288532
when the NCQ command is invalid, the 'aiocb' object is not assigned, and NCQ transfer object is left as 'used'. This leads to a use after free kind of error in 'bdrv_aio_cancel_async' via 'ahci_reset_port'. Reset NCQ transfer object to 'unused' to avoid it.
Use CVE-2016-1568. This is not yet available at http://git.qemu.org/?p=qemu.git;a=history;f=hw/ide/ahci.c but that may be an expected place for a later update. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJWkRD7AAoJEL54rhJi8gl5S1YP/2Nj8+B8iR1aFHR0GXUCsCWk nKQYEphcDT0iyFkJ+1iazUA/72yIYp3U+wQaC5BpkUlT+KSWRKoSDCypjTKfXKUn HwfAsrio3NAtnpJTapalqVWN4i9fUrzCrRdMDHO+4qgxk/ph0gjxnrGldMhKN7Sz BTVqrY802SUFfHcKyX8Mdk7ixqq0V+grix0qRUd5q5cwrGgLsmNyWygU6gHz6rNR UfB2ZQLAbybR7nUcdmYFv4oTfc4voCerLS2cWP/KGmput4vnBoZvNgkXxSysTVBE dg54hk0xMQJzOjrec05M99wQ0kK7nhIvPyIF6D0zz3aBCJ6gyYHhipfl4skxoGNn RE5ljb4483sbyLFBqzj9SmrDbdiPN+1aN8dbh2yelLP5y1ccMwOXxyY3vfxiXbyy qsVdyO0dEA9A2s7OsSbROTwR/wHuT6PYyUOxgWx/0+waj/NuwC+znpKjgILoV7Hv fGkRtIDGH1UhnlfUlweIKAKnpCYFuJpZhrnDc9Ldtzagw7eveIDUlXjgAE/E/vmc +7ySSt2T6d6+J7vDqCyyfjVTSbIaC4EGlpxnAOdLnPf0cFUPxZfPytJLGUthzRpA FUMVK8yNErYQEu8T07rfDXbPvk5lJoxPpoC4M1Wfkco33z1EeA03ic0W+dVnRfCC VTZRXik6y0D06HcjIrRp =iYts -----END PGP SIGNATURE-----
Current thread:
- Qemu: ide: ahci use-after-free vulnerability in aio port commands P J P (Jan 08)
- Re: Qemu: ide: ahci use-after-free vulnerability in aio port commands cve-assign (Jan 09)