Headline
CVE-2014-0222: [Qemu-stable] [ANNOUNCE] QEMU 1.7.2 Stable released
Integer overflow in the qcow_open function in block/qcow.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service (crash) via a large L2 table in a QCOW version 1 image.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
From:
Michael Roth
Subject:
[Qemu-stable] [ANNOUNCE] QEMU 1.7.2 Stable released
Date:
Wed, 23 Jul 2014 12:57:04 -0500
User-agent:
alot/0.3.4
Hi everyone,
I am pleased to announce that the QEMU v1.7.2 stable release is now available at:
http://wiki.qemu.org/download/qemu-1.7.2.tar.bz2
v1.7.2 is now tagged in the official qemu.git repository, and the stable-1.7 branch has been updated accordingly:
http://git.qemu.org/?p=qemu.git;a=shortlog;h=refs/heads/stable-1.7
This release contains 155 build/bug fixes, including important security updates relating to untrusted guest image files and migration/savevm sources. See the changelog below for relevant CVEs and additional details.
Thank you to everyone involved!
CHANGELOG:
adba377: Update VERSION for 1.7.2 release (Michael Roth)
8fde73e: Allow mismatched virtio config-len (Dr. David Alan Gilbert) 14d9fb0: pci: assign devfn to pci_dev before calling pci_device_iommu_address_space() (Le Tan) 53e4895: hw: Fix qemu_allocate_irqs() leaks (Andreas Färber) bb485bf: sdhci: Fix misuse of qemu_free_irqs() (Andreas Färber) 02835d5: vnc: Fix tight_detect_smooth_image() for lossless case (Markus Armbruster) 41ee918: qapi: zero-initialize all QMP command parameters (Michael Roth) 0c60b74: nbd: Shutdown socket before closing. (Hani Benhabiles) 25351f6: nbd: Close socket on negotiation failure. (Hani Benhabiles) cf392d2: nbd: Don’t validate from and len in NBD_CMD_DISC. (Hani Benhabiles) 3c3d8c6: nbd: Don’t export a block device with no medium. (Hani Benhabiles) 62c754e: virtio-serial: don’t migrate the config space (Alexander Graf) 0fd14a5: virtio-net: byteswap virtio-net header (Cédric Le Goater) 7a3cd5a: target-i386: Filter FEAT_7_0_EBX TCG features too (Eduardo Habkost) 8a93721: coroutine-win32.c: Add noinline attribute to work around gcc bug (Peter Maydell) b47506f: KVM: Fix GSI number space limit (Alexander Graf) f0c609d: usb: Fix usb-bt-dongle initialization. (Hani Benhabiles) 79bd778: vhost: fix resource leak in error handling (Michael S. Tsirkin) 36afdba: scsi-disk: fix bug in scsi_block_new_request() introduced by commit 137745c (Ulrich Obergfell) 63bf1e0: rdma: bug fixes (Michael R. Hines) 23dbc56: qga: Fix handle fd leak in acquire_privilege() (Gonglei) 4041945: aio: fix qemu_bh_schedule() bh->ctx race condition (Stefan Hajnoczi) 5019106: s390x/css: handle emw correctly for tsch (Cornelia Huck) f784615: target-arm: Fix errors in writes to generic timer control registers (Peter Maydell) e34feec: tcg-i386: Fix win64 qemu store (Richard Henderson) ccb08f5: linux-user: Don’t overrun guest buffer in sched_getaffinity (Peter Maydell) cb34d1e: qemu-img: Plug memory leak in convert command (Markus Armbruster) df9c108: block/sheepdog: Plug memory leak in sd_snapshot_create() (Markus Armbruster) d3cd48a: block/vvfat: Plug memory leak in read_directory() (Markus Armbruster) 501da93: block/vvfat: Plug memory leak in check_directory_consistency() (Markus Armbruster) 7267e51: block/qapi: Plug memory leak in dump_qobject() case QTYPE_QERROR (Markus Armbruster) d1775fe: blockdev: Plug memory leak in drive_init() (Markus Armbruster) d2b9874: blockdev: Plug memory leak in blockdev_init() (Markus Armbruster) c2fb0f2: cputlb: Fix regression with TCG interpreter (bug 1310324) (Stefan Weil) 26b5102: target-xtensa: fix cross-page jumps/calls at the end of TB (Max Filippov) 44564f8: virtio-scsi: Plug memory leak on virtio_scsi_push_event() error path (Markus Armbruster) 2f1eb04: qcow1: Stricter backing file length check (Kevin Wolf) b53d866: qcow1: Validate image size (CVE-2014-0223) (Kevin Wolf) 8b17eb6: qcow1: Validate L2 table size (CVE-2014-0222) (Kevin Wolf) e6c55cf: qcow1: Check maximum cluster size (Kevin Wolf) 41819e9: qcow1: Make padding in the header explicit (Kevin Wolf) 97a0e27: parallels: Sanity check for s->tracks (CVE-2014-0142) (Kevin Wolf) 750336b: parallels: Fix catalog size integer overflow (CVE-2014-0143) (Kevin Wolf) cfa8008: qcow2: Check maximum L1 size in qcow2_snapshot_load_tmp() (CVE-2014-0143) (Kevin Wolf) d99c4e2: qcow2: Fix L1 allocation size in qcow2_snapshot_load_tmp() (CVE-2014-0145) (Kevin Wolf) 641c3ec: qcow2: Fix copy_sectors() with VM state (Kevin Wolf) c2c5272: qcow2: Fix NULL dereference in qcow2_open() error path (CVE-2014-0146) (Kevin Wolf) 759d386: block: Limit request size (CVE-2014-0143) (Kevin Wolf) b6f7fbd: dmg: prevent chunk buffer overflow (CVE-2014-0145) (Stefan Hajnoczi) d400b5d: dmg: use uint64_t consistently for sectors and lengths (Stefan Hajnoczi) 758c484: dmg: sanitize chunk length and sectorcount (CVE-2014-0145) (Stefan Hajnoczi) 4b50bd7: dmg: use appropriate types when reading chunks (Stefan Hajnoczi) 4ee5b9c: dmg: drop broken bdrv_pread() loop (Stefan Hajnoczi) ad08cae: dmg: prevent out-of-bounds array access on terminator (Stefan Hajnoczi) dedf4a5: dmg: coding style and indentation cleanup (Stefan Hajnoczi) 3c6347c: qcow2: Fix new L1 table size check (CVE-2014-0143) (Kevin Wolf) e1c8770: qcow2: Protect against some integer overflows in bdrv_check (Kevin Wolf) c874837: qcow2: Fix types in qcow2_alloc_clusters and alloc_clusters_noref (Kevin Wolf) 610ab7b: qcow2: Check new refcount table size on growth (Kevin Wolf) 7a6088c: qcow2: Avoid integer overflow in get_refcount (CVE-2014-0143) (Kevin Wolf) ffa3ab0: qcow2: Don’t rely on free_cluster_index in alloc_refcount_block() (CVE-2014-0147) (Kevin Wolf) aeba415: qcow2: Zero-initialise first cluster for new images (Kevin Wolf) 2f59c95: qcow2: fix offset overflow in qcow2_alloc_clusters_at() (Hu Tao) 5ba151f: qcow2: Fix backing file name length check (Kevin Wolf) cd598d4: qcow2: Validate active L1 table offset and size (CVE-2014-0144) (Kevin Wolf) 04bc698: qcow2: Validate snapshot table offset/size (CVE-2014-0144) (Kevin Wolf) 818ce84: qcow2: Validate refcount table offset (Kevin Wolf) f6027f8: qcow2: Check refcount table size (CVE-2014-0144) (Kevin Wolf) 6f6db0c: qcow2: Check backing_file_offset (CVE-2014-0144) (Kevin Wolf) 665f3ad: qcow2: Check header_length (CVE-2014-0144) (Kevin Wolf) 4854971: curl: check data size before memcpy to local buffer. (CVE-2014-0144) (Fam Zheng) 1786c42: vhdx: Bounds checking for block_size and logical_sector_size (CVE-2014-0148) (Jeff Cody) 37173f5: vdi: add bounds checks for blocks_in_image and disk_size header fields (CVE-2014-0144) (Jeff Cody) 76d1edd: vpc: Validate block size (CVE-2014-0142) (Kevin Wolf) b2390c7: vpc/vhd: add bounds check for max_table_entries and block_size (CVE-2014-0144) (Jeff Cody) 6ee0d5f: bochs: Fix bitmap offset calculation (Kevin Wolf) b0a7517: bochs: Check extent_size header field (CVE-2014-0142) (Kevin Wolf) 6b94cfe: bochs: Check catalog_size header field (CVE-2014-0143) (Kevin Wolf) 0e74862: bochs: Use unsigned variables for offsets and sizes (CVE-2014-0147) (Kevin Wolf) bb8b201: bochs: Unify header structs and make them QEMU_PACKED (Kevin Wolf) ae9b5df: qemu-iotests: Support for bochs format (Kevin Wolf) dbd3e4a: block/cloop: fix offsets[] size off-by-one (Stefan Hajnoczi) 0fda3e2: block/cloop: refuse images with bogus offsets (CVE-2014-0144) (Stefan Hajnoczi) 7dcffbb: block/cloop: refuse images with huge offsets arrays (CVE-2014-0144) (Stefan Hajnoczi) d723971: block/cloop: prevent offsets_size integer overflow (CVE-2014-0143) (Stefan Hajnoczi) 1f6bda9: block/cloop: validate block_size header field (CVE-2014-0144) (Stefan Hajnoczi) 46c5cac: qemu-iotests: add cloop input validation tests (Stefan Hajnoczi) 95139b7: qemu-iotests: add ./check -cloop support (Stefan Hajnoczi) 69b7aac: migration: catch unknown flags in ram_load (Peter Lieven) 3102b1a: migration: remove duplicate code (ChenLiang) 84321ba: virtio: allow mapping up to max queue size (Michael S. Tsirkin) 9fbc298: pci-assign: limit # of msix vectors (Michael S. Tsirkin) 74dd27c: spapr_pci: Fix number of returned vectors in ibm, change-msi (Alexey Kardashevskiy) b6760b6: linux-user/elfload.c: Fix A64 code which was incorrectly acting like A32 (Peter Maydell) 64b210d: linux-user/elfload.c: Update ARM HWCAP bits (Peter Maydell) f6de352: linux-user/elfload.c: Fix incorrect ARM HWCAP bits (Peter Maydell) 7c56952: target-arm: Make vbar_write 64bit friendly on 32bit hosts (Edgar E. Iglesias) 3c1162e: target-i386: fix set of registers zeroed on reset (Paolo Bonzini) 73d8965: stellaris_enet: block migration (Michael S. Tsirkin) 2003205: virtio: validate config_len on load (Michael S. Tsirkin) 7abee6c: savevm: Ignore minimum_version_id_old if there is no load_state_old (Peter Maydell) c4bd2e4: usb: sanity check setup_index+setup_len in post_load (Michael S. Tsirkin) 0776525: vmstate: s/VMSTATE_INT32_LE/VMSTATE_INT32_POSITIVE_LE/ (Michael S. Tsirkin) a7fcb4c: virtio-scsi: fix buffer overrun on invalid state load (Michael S. Tsirkin) 8d948a0: zaurus: fix buffer overrun on invalid state load (Michael S. Tsirkin) c75e43b: tsc210x: fix buffer overrun on invalid state load (Michael S. Tsirkin) af44364: ssd0323: fix buffer overun on invalid state load (Michael S. Tsirkin) 45edb0c: ssi-sd: fix buffer overrun on invalid state load (Michael S. Tsirkin) d92a768: pxa2xx: avoid buffer overrun on incoming migration (Michael S. Tsirkin) 68801b7: virtio: validate num_sg when mapping (Michael S. Tsirkin) 609f5bf: openpic: avoid buffer overrun on incoming migration (Michael Roth) 8f0e369: virtio: avoid buffer overrun on incoming migration (Michael Roth) 630ebef: vmstate: fix buffer overflow in target-arm/machine.c (Michael S. Tsirkin) a2b4e84: Fix vmstate_info_int32_le comparison/assign (Dr. David Alan Gilbert) f217f37: pl022: fix buffer overun on invalid state load (Michael S. Tsirkin) e83444f: hw/pci/pcie_aer.c: fix buffer overruns on invalid state load (Michael S. Tsirkin) d8aba74: hpet: fix buffer overrun on invalid state load (Michael S. Tsirkin) d34e6f7: ahci: fix buffer overrun on invalid state load (Michael S. Tsirkin) 5544b7e: virtio: out-of-bounds buffer write on invalid state load (Michael S. Tsirkin) 7b6444a: virtio-net: out-of-bounds buffer write on load (Michael S. Tsirkin) 2b15f41: virtio-net: out-of-bounds buffer write on invalid state load (Michael S. Tsirkin) 95f118f: virtio-net: fix buffer overflow on invalid state load (Michael S. Tsirkin) 29e2bbe: vmstate: add VMSTATE_VALIDATE (Michael S. Tsirkin) a075a3a: vmstate: add VMS_MUST_EXIST (Michael S. Tsirkin) 25062a7: vmstate: reduce code duplication (Michael S. Tsirkin) f93614c: vmxnet3: validate queues configuration read on migration (Dmitry Fleytman) 709cc04: vmxnet3: validate interrupt indices read on migration (Dmitry Fleytman) ed995c6: vmxnet3: validate queues configuration coming from guest (Dmitry Fleytman) 6bbbb93: vmxnet3: validate interrupt indices coming from guest (Dmitry Fleytman) 636fa8a: acpi: fix tables for no-hpet configuration (Michael S. Tsirkin) 1a6ea31: po/Makefile: fix $SRC_PATH reference (Michael Tokarev) 012d778: s390x: empty function stubs in preparation for __KVM_HAVE_GUEST_DEBUG (David Hildenbrand) dd8f80b: s390x/helper: Added format control bit to MMU translation (Thomas Huth) b1a86eb: block: Use BDRV_O_NO_BACKING where appropriate (Kevin Wolf) 792a403: block: Prevent coroutine stack overflow when recursing in bdrv_open_backing_file. (Benoît Canet) 0655eee: arm: translate.c: Fix smlald Instruction (Peter Crosthwaite) 5cfd43b: megasas: Implement LD_LIST_QUERY (Hannes Reinecke) c5dae2f: ide: Correct improper smart self test counter reset in ide core. (Benoît Canet) 3239a20: block-commit: speed is an optional parameter (Max Reitz) a8b7e73: qcow2: Flush metadata during read-only reopen (Kevin Wolf) 38a55f3: hw/net/stellaris_enet: Correct handling of packet padding (Peter Maydell) 7d09fac: hw/net/stellaris_enet: Restructure tx_fifo code to avoid buffer overrun (Peter Maydell) 11088ab: virtio-net: Do not filter VLANs without F_CTRL_VLAN (Stefan Fritsch) 0fd56fb: mirror: fix early wake from sleep due to aio (Stefan Hajnoczi) 8211eeb: mirror: fix throttling delay calculation (Paolo Bonzini) 0414abe: configure: Don’t use __int128_t for clang versions before 3.2 (Stefan Weil) 151be4f: tests: Fix ‘make test’ for i686 hosts (build regression) (Stefan Weil) a290aee: tap: avoid deadlocking rx (Stefan Hajnoczi) 7e42cd6: qom: Avoid leaking str and bool properties on failure (Stefan Hajnoczi) 4f577e9: scsi: Change scsi sense buf size to 252 (Fam Zheng) 6be38ee: target-i386: Fix ucomis and comis memory access (Richard Henderson) 2e191f8: target-i386: Fix CC_OP_CLR vs PF (Richard Henderson) 91ae1d3: s390x/virtio-hcall: Add range check for hypervisor call (Thomas Huth) 0a77a92: block/iscsi: fix deadlock on scsi check condition (Peter Lieven) 8b8dd2c: scsi-bus: Fix transfer length for VERIFY with BYTCHK=11b (Markus Armbruster) 248de52: char: restore read callback on a reattached (hotplug) chardev (Gal Hammer)
[Prev in Thread]
Current Thread
[Next in Thread]
[Qemu-stable] [ANNOUNCE] QEMU 1.7.2 Stable released, Michael Roth <=
Prev by Date: [Qemu-stable] [PATCH] hw/misc/imx_ccm.c: Add missing VMState list terminator
Next by Date: [Qemu-stable] [RFC for-2.1 for for-2.0-stable] pc: acpi: generate AML only for PCI0 devices if PCI bridge hotplug is disabled
Previous by thread: [Qemu-stable] [PATCH] hw/misc/imx_ccm.c: Add missing VMState list terminator
Next by thread: [Qemu-stable] [RFC for-2.1 for for-2.0-stable] pc: acpi: generate AML only for PCI0 devices if PCI bridge hotplug is disabled
Index(es):
- Date
- Thread
Related news
Qemu before 1.6.2 block diver for the various disk image formats used by Bochs and for the QCOW version 2 format, are vulnerable to a possible crash caused by signed data types or a logic error while creating QCOW2 snapshots, which leads to incorrectly calling update_refcount() routine.
QEMU before 2.0.0 block drivers for CLOOP, QCOW2 version 2 and various other image formats are vulnerable to potential memory corruptions, integer/buffer overflows or crash caused by missing input validations which could allow a remote user to execute arbitrary code on the host with the privileges of the QEMU process.
Qemu before 2.0 block driver for Hyper-V VHDX Images is vulnerable to infinite loops and other potential issues when calculating BAT entries, due to missing bounds checks for block_size and logical_sector_size variables. These are used to derive other fields like 'sectors_per_block' etc. A user able to alter the Qemu disk image could ise this flaw to crash the Qemu instance resulting in DoS.
Integer overflow in the qcow_open function in block/qcow.c in QEMU before 1.7.2 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a large image size, which triggers a buffer overflow or out-of-bounds read.
Integer overflow in the qcow_open function in block/qcow.c in QEMU before 1.7.2 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a large image size, which triggers a buffer overflow or out-of-bounds read.