oss-sec mailing list archives
Re: CVE request: Qemu: buffer overflow in virtio-serial
From: cve-assign () mitre org
Date: Thu, 6 Aug 2015 10:32:03 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
https://github.com/qemu/qemu/commit/7882080388be5088e72c425b02223c02e6cb4295 https://lists.gnu.org/archive/html/qemu-devel/2015-07/msg05458.html
Don't assume a specific layout for control messages.
hw/char/virtio-serial-bus.c
send_control_msg
- memcpy(elem.in_sg[0].iov_base, buf, len); + /* TODO: detect a buffer that's too short, set NEEDS_RESET */ + iov_from_buf(elem.in_sg, elem.in_num, 0, buf, len);
Qemu emulator built with the virtio-serial vmchannel support is vulnerable to a buffer overflow issue. It could occur while exchanging virtio control messages between guest & the host. A malicious guest could use this flaw to corrupt few bytes of Qemu memory area, potentially crashing the Qemu process.
Use CVE-2015-5745. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJVw283AAoJEKllVAevmvmsfgwH/2QCbFLQJTRfcaExszbdczlX ciSqTWOuUev2zrch+wptzCNIzmuRo+16quDQ+sNcgefTFQwZQs14XYMp9n3xv2Tg w++oYByFgWJps1tev18UiHIRUA7YEvl7LDYL++BgHeL3McOIXowilj0+0p7kgx1b AI6Jx566eBecMcoRQtPH4X0zKg5Hrd7k97rHGqPhza1eKjkweSVfuHVliuFTkIH9 le8+84TxOWlTAZv4xgmDDkCpPINJmATPnc3zfHNjpRyHVFB2jVahLplSDOOdrE2w uqe59griVgciusqQnhStau5bZXh1gUzGN2yqz/XCkXua135o/vMN/NgnUxJ1GbA= =P2BP -----END PGP SIGNATURE-----
Current thread:
- CVE request: Qemu: buffer overflow in virtio-serial P J P (Aug 06)
- Re: CVE request: Qemu: buffer overflow in virtio-serial cve-assign (Aug 06)