CVE-2015-5745: security - Re: CVE request: Qemu: buffer overflow in virtio-serial

• Products
  • Openwall GNU/*/Linux server OS
  • Linux Kernel Runtime Guard
  • John the Ripper password cracker
    • Free & Open Source for any platform
    • in the cloud
    • Pro for Linux
    • Pro for macOS
  • Wordlists for password cracking
  • passwdqc policy enforcement
    • Free & Open Source for Unix
    • Pro for Windows (Active Directory)
  • yescrypt KDF & password hashing
  • yespower Proof-of-Work (PoW)
  • crypt_blowfish password hashing
  • phpass ditto in PHP
  • tcb better password shadowing
  • Pluggable Authentication Modules
  • scanlogd port scan detector
  • popa3d tiny POP3 daemon
  • blists web interface to mailing lists
  • msulogin single user mode login
  • php_mt_seed mt_rand() cracker
• Services
• Publications
  • Articles
  • Presentations
• Resources
  • Mailing lists
  • Community wiki
  • Source code repositories (GitHub)
  • Source code repositories (CVSweb)
  • File archive & mirrors
  • How to verify digital signatures
  • OVE IDs
• What’s new

[<prev] [next>] [<thread-prev] [day] [month] [year] [list]

Date: Thu, 6 Aug 2015 10:32:03 -0400 (EDT) From: cve-assign@…re.org To: ppandit@…hat.com Cc: cve-assign@…re.org, oss-security@…ts.openwall.com Subject: Re: CVE request: Qemu: buffer overflow in virtio-serial

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256

https://github.com/qemu/qemu/commit/7882080388be5088e72c425b02223c02e6cb4295 https://lists.gnu.org/archive/html/qemu-devel/2015-07/msg05458.html

Don’t assume a specific layout for control messages.

hw/char/virtio-serial-bus.c

send_control_msg

• memcpy(elem.in_sg[0].iov_base, buf, len);

• /* TODO: detect a buffer that’s too short, set NEEDS_RESET */
• iov_from_buf(elem.in_sg, elem.in_num, 0, buf, len);

Qemu emulator built with the virtio-serial vmchannel support is vulnerable to a buffer overflow issue. It could occur while exchanging virtio control messages between guest & the host.

A malicious guest could use this flaw to corrupt few bytes of Qemu memory area, potentially crashing the Qemu process.

Use CVE-2015-5745.

---

CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1

iQEcBAEBCAAGBQJVw283AAoJEKllVAevmvmsfgwH/2QCbFLQJTRfcaExszbdczlX ciSqTWOuUev2zrch+wptzCNIzmuRo+16quDQ+sNcgefTFQwZQs14XYMp9n3xv2Tg w++oYByFgWJps1tev18UiHIRUA7YEvl7LDYL++BgHeL3McOIXowilj0+0p7kgx1b AI6Jx566eBecMcoRQtPH4X0zKg5Hrd7k97rHGqPhza1eKjkweSVfuHVliuFTkIH9 le8+84TxOWlTAZv4xgmDDkCpPINJmATPnc3zfHNjpRyHVFB2jVahLplSDOOdrE2w uqe59griVgciusqQnhStau5bZXh1gUzGN2yqz/XCkXua135o/vMN/NgnUxJ1GbA= =P2BP -----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.