oss-sec mailing list archives

CVE request Qemu: hw: net: Fix a heap overflow in xlnx.xps-ethernetlite

From: Hu Chaojian <chaojianhu () hotmail com>
Date: Fri, 23 Sep 2016 09:48:07 +0000

The .receive callback of xlnx.xps-ethernetlite doesn't check the length

of data before calling memcpy. As a result, the NetClientState object in
heap will be overflowed. Attackers may leverage it to execute arbitrary

code with privileges of the qemu process on the host.


Upstream patches:

https://lists.gnu.org/archive/html/qemu-devel/2016-08/msg01598.html
https://lists.gnu.org/archive/html/qemu-devel/2016-08/msg01877.html<https://lists.gnu.org/archive/html/qemu-devel/2016-08/msg01598.htmlhttps://lists.gnu.org/archive/html/qemu-devel/2016-08/msg01877.html>

This issue was discovered by chaojianhu<chaojianhu () hotmail com>

Thanks,

Chaojian Hu


-------------------------------------------------------------------------------------------

p.s.

Alistair (the code maintainer) have requested a cve id for this vulnerability.

Hello chaojianhu,

I created a CVE, but I can't access it. Do you know how to expose the CVE?

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7161

Thanks,

Alistair



But there seems a small problem.

Current thread:

CVE request Qemu: hw: net: Fix a heap overflow in xlnx.xps-ethernetlite Hu Chaojian (Sep 23)
- Re: CVE request Qemu: hw: net: Fix a heap overflow in xlnx.xps-ethernetlite cve-assign (Sep 23)