oss-sec mailing list archives
Re: CVE request Qemu: hmp: stack based OOB write in hmp_sendkey routine
From: cve-assign () mitre org
Date: Tue, 22 Dec 2015 19:02:11 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Qemu emulator built with the Human Monitor Interface(HMP) support is vulnerable to an OOB write issue. It occurs while processing 'sendkey' command in hmp_sendkey routine, if the command argument is longer than the 'keyname_buf' buffer size. A user/process could use this flaw to crash the Qemu process instance resulting in DoS. https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg02930.html https://bugzilla.redhat.com/show_bug.cgi?id=1283926
An OOB write issue was reported by Mr Ling Liu ... It occurs while processing the 'sendkey' command, if the command argument was longer than the 'keyname_buf[16]' buffer.
hmp: avoid redundant null termination of buffer
When processing 'sendkey' command, hmp_sendkey routine null terminates the 'keyname_buf' array. This results in an OOB write issue, if 'keyname_len' was to fall outside of 'keyname_buf' array. Removed the redundant null termination, as pstrcpy routine already null terminates the target buffer.
Use CVE-2015-8619. This is not yet available at http://git.qemu.org/?p=qemu.git;a=history;f=hmp.c but that may be an expected place for a later update. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJWeeQAAAoJEL54rhJi8gl5SqUP/jZ+NCSW5hsvkOvpcDPME24Q JyWE7Gm5PesbYYNOMRIZjtNm3FZJWP0iKMxECyx71bksSXrnW1m2RcNus1wNxkif UKuIRiGut2gTBIcMOKsVAKCfd7W705TJOMUEperMR8o2uKhcLQzkQ9VxrnOukIPR jGNSCtBJT3cC2M8U1MFWnWiNErBPNrUKcRnf9ob2EtXEmM9t/nV9FMA/U8C6Ke10 i2WMJ7pbKaqxn+irai/d4MBqSKHn0caeTy5XYYPJuSMcUOw+yAocljUJkqqi456L MxBUpY054DKqY15XpL7S1A/z/IXtvxs6eKRVIzJOvSskDDFVauJayNRi2A0w0wyM aJ5HZPwBFPCOpCpz3nftG5UxdnxQtUDrO2BBu09T9d2Est1wCP+zxKAboUkG3SE2 +xixvZXTlqo8/f7qMVvZ58Hr1ieT5Gp5DD7AdK8wBmHlDTbGRXEAqgskgvbBZIjl lkRpp9gXrpuiETyI08y5lxBd7Yu74f8WNxdNn5OR9Q3pWo6BPRBGRiqV5A0Z1lGB dqV71TvYDxzphZF1bFyLV0x4L6F3XIShew1mOfD45M78Z531ZNJGo116HJiJulgB yC+hfD8ctkaqAfHILIDuRug3oIYeD1jxqeSLixZS79ASGUtBrxnGO8eMU+ra0ZvQ Tx6KxEwFW+HIMZvyyVdm =BQ7m -----END PGP SIGNATURE-----
Current thread:
- CVE request Qemu: hmp: stack based OOB write in hmp_sendkey routine P J P (Dec 22)
- Re: CVE request Qemu: hmp: stack based OOB write in hmp_sendkey routine cve-assign (Dec 22)