oss-sec mailing list archives

CVE request Qemu: usb: integer overflow in remote NDIS control message handling

From: P J P <ppandit () redhat com>
Date: Mon, 22 Feb 2016 21:20:28 +0530 (IST)

  Hello,

Qemu emulator built with the USB Net device emulation support is vulnerable toan integer overflow issue. It could occur while processing remote NDIS controlmessage packets. As the incoming informationBufferOffset & Length combinationcould cross the integer range.

A privileged user inside guest could use this flaw to leak host memory bytesto guest or crash the Qemu process instance resulting in DoS.


Upstream patch:
---------------
  -> https://lists.gnu.org/archive/html/qemu-devel/2016-02/msg03658.html

Reference:
----------
  -> https://bugzilla.redhat.com/show_bug.cgi?id=1303120

This issue was discovered by Qinghao Tang of 360.cn Marvel Team, China.

Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

Current thread:

CVE request Qemu: usb: integer overflow in remote NDIS control message handling P J P (Feb 22)
- Re: CVE request Qemu: usb: integer overflow in remote NDIS control message handling cve-assign (Feb 23)