oss-sec mailing list archives
Re: CVE request: Qemu: scsi: pvscsi: infintie loop when building SG list
From: cve-assign () mitre org
Date: Tue, 6 Sep 2016 20:54:43 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Quick Emulator(Qemu) built with the VMWARE PVSCSI paravirtual SCSI bus emulation support is vulnerable to an infinite loop issue. It could occur while processing an IO request descriptor, building SG list. A privileged user inside guest could use this flaw to crash the Qemu process resulting in DoS. https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg00772.html https://bugzilla.redhat.com/show_bug.cgi?id=1373478
In PVSCSI paravirtual SCSI bus, the request descriptor data length is defined to be 64 bit. While building SG list from a request descriptor, it gets truncated to 32bit in routine 'pvscsi_convert_sglist'. This could lead to an infinite loop situation for arbitrarily large 'dataLen' values. Check SG list element count to avoid it.
Use CVE-2016-7156. This is not yet available at http://git.qemu.org/?p=qemu.git;a=history;f=hw/scsi/vmw_pvscsi.c but that may be an expected place for a later update. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJXz2NGAAoJEHb/MwWLVhi2qM8P+gKKm8ns+cMWH6cCcT+M7Izh G3uH1T2Kgz+8JhXDAKAyYrCnPXFkrAHULGX8RYmZJ8pDeKpNfqcF6NIz8TqaF+e2 1HHDKX7NsSn3ODL3KI0JdAq1nfQ4leut0h+6OQnAbUAVJJGplWNPfRd2eIqfOUHv /Ew51J6R6oEaVV/+QL8PYNz/7U2MbmlrH56Pj4v3pqzeEc4MJgkX5EcGc01n/vZd /ir6HjirzTajWsAoOZqRiQ9euentjOGwsTPIxCQ4v+MKWFdU+AdMonpoKic6dQj+ IuVQA0y59pkcXxfcWOhGghanCYh3hvnrSWUtL/PDeUSufyAwKJaVoo/IPKtwZVMW PrsaxfPTzlYzwHc0usJPuMWjEytf9mWNU0jX/84tMNakTFLYXcCsAl9tH5iHmiVp MIvAACVTQSQ7qx6s4UTz5PLbln1kZ3E5ZsXEv5rTZktwQ+2FDl31nuNLKZckYxKw 6bz4BHFO0FYmFU0TNjVIGfOypGh4ctX1N4pj9tAx87fk7+qT+LXDeNUztkW0nsdM 7zMI193LH+SzTcDH0B7Fkyeg2K8CmqPnctaRdhHo/man9i/MEZUiYn3Skk+AhJd/ yr3bwK5I1stfSSglp+uzjzLNZUQmg9sOA0aJrCddaQzyiNitusVDSCW6AKruBzln 1pxmVAwD3Eyefat/NQi8 =DZ2t -----END PGP SIGNATURE-----
Current thread:
- CVE request: Qemu: scsi: pvscsi: infintie loop when building SG list P J P (Sep 06)
- Re: CVE request: Qemu: scsi: pvscsi: infintie loop when building SG list cve-assign (Sep 06)