Re: CVE request: Qemu: buffer overflow in virtio-serial

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> https://github.com/qemu/qemu/commit/7882080388be5088e72c425b02223c02e6cb4295
> https://lists.gnu.org/archive/html/qemu-devel/2015-07/msg05458.html

> Don't assume a specific layout for control messages.

> hw/char/virtio-serial-bus.c

> send_control_msg

> -    memcpy(elem.in_sg[0].iov_base, buf, len);
> +    /* TODO: detect a buffer that's too short, set NEEDS_RESET */
> +    iov_from_buf(elem.in_sg, elem.in_num, 0, buf, len);

> Qemu emulator built with the virtio-serial vmchannel support is vulnerable to
> a buffer overflow issue. It could occur while exchanging virtio control
> messages between guest & the host.
>
> A malicious guest could use this flaw to corrupt few bytes of Qemu memory
> area, potentially crashing the Qemu process.

Use CVE-2015-5745.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJVw283AAoJEKllVAevmvmsfgwH/2QCbFLQJTRfcaExszbdczlX
ciSqTWOuUev2zrch+wptzCNIzmuRo+16quDQ+sNcgefTFQwZQs14XYMp9n3xv2Tg
w++oYByFgWJps1tev18UiHIRUA7YEvl7LDYL++BgHeL3McOIXowilj0+0p7kgx1b
AI6Jx566eBecMcoRQtPH4X0zKg5Hrd7k97rHGqPhza1eKjkweSVfuHVliuFTkIH9
le8+84TxOWlTAZv4xgmDDkCpPINJmATPnc3zfHNjpRyHVFB2jVahLplSDOOdrE2w
uqe59griVgciusqQnhStau5bZXh1gUzGN2yqz/XCkXua135o/vMN/NgnUxJ1GbA=
=P2BP
-----END PGP SIGNATURE-----