oss-sec mailing list archives

Re: CVE request Qemu: scsi: esp: oob write access while reading ESP command

From: cve-assign () mitre org
Date: Tue, 26 Jul 2016 15:21:12 -0400 (EDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Quick Emulator(Qemu) built with the ESP/NCR53C9x controller emulation support
is vulnerable to an OOB write access issue. It could occur while doing DMA
read into ESP command buffer 's->cmdbuf'; It could write past the 's->cmdbuf'
area, if it was transferring more than 16 bytes in esp_do_dma().

A privileged user inside guest could use this flaw to crash the Qemu process
resulting in DoS OR potentially leverage it to execute arbitrary code with
privileges of the Qemu process on the host.

Upstream patches:
-----------------
   -> http://git.qemu.org/?p=qemu.git;a=commit;h=926cde5f3e4d2504ed161ed0cb771ac7cad6fd11
   -> http://git.qemu.org/?p=qemu.git;a=commit;h=cc96677469388bad3d66479379735cf75db069e3

scsi: esp: make cmdbuf big enough for maximum CDB size

Increase the command buffer size to 32, which is maximum when
's->do_cmd' is set, and add a check on 'len' to avoid OOB access.


Use CVE-2016-6351.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXl7ePAAoJEHb/MwWLVhi2DkcP/0Cve7oqMMMa06UgbrOLGj1S
eXWNyPD1oL112rkjfYNjTQZwKVb4nmZoKGoibqcnlZLJkzH88Cvpl0tF1YVKPfoG
TsvXjXfiABZTeFGUfKJfjQEp9YeIuosAMfp2Dj/Cpe5WK0NYF6ZakqG1A9gWzNvv
dRqlB6eoaqjWKgycTGcRiqcHfIflaGnI8W+syumDQQ6y873ILk9WdLcA9AZnvDUs
4/EITZCHaEBDNOoK8jP+FcctPNwYSGwfqcDxrT/h6bb7zpd5yT6JQWu0EZPetzVV
RPFE8/Owf+OIwNJtqbz+lKRV6vi1G0gB824rEupY1ZUWTPRNTl/FNuuhfpVdIklu
WhKZJKP76RIzC9HChsbpPfzxYbg7GxMr+XWp24X2EptIfZJmvVA4Y3C99+b2wvLb
y8AMwTZzKLLuOunAQ+4/10n21u+3EZxeJvMgUD5BipoZnEwoPgkKD+2sHtKNnXaH
imEZ0f789i1mrIx673rXowjoReXRGQUic/yhRAWnsbnz3Jz6xclbmrPN6W2XZScH
XPV0e1/u3AqZJ7ZQgbospB8Co06mYWJfYfnPFQIniVSf8sf32Rs+wUKsT0+V8NzW
o4qi7w/kX40Zy1K+DTNfCRa44nH7OFirt0CpQxrKuDo1mhn94nAWdJ5hMx1LfA0G
bjCLFVM2rEcNXi7FM6Fi
=Rrsy
-----END PGP SIGNATURE-----

Current thread:

CVE request Qemu: scsi: esp: oob write access while reading ESP command P J P (Jul 25)
- Re: CVE request Qemu: scsi: esp: oob write access while reading ESP command cve-assign (Jul 26)