oss-sec mailing list archives

Re: CVE-2018-20124 QEMU: rdma: OOB access when building scatter-gather array

From: saar amar <saaramar5 () gmail com>
Date: Tue, 18 Dec 2018 11:44:32 +0200

Thanks all :) I'm happy it fixed, thanks for the response guys!

I'm wondering why it says "DOS" and not "execute arbitrary code on the
host, in the context of the QEMU process"? I have stack overflow, it pretty
clear I could gain more than simple DOS:)

What do your day?

On Tue, 18 Dec 2018, 10:53 P J P <ppandit () redhat com wrote:

   Hello,

An out-of-bound stack buffer r/w access issue was found in QEMU's generic
RDMA
back-end implementation. It could occur when a driver tries to build
scatter/gather element's array in build_host_sge_array() routine.

A guest user/process could use this flaw to crash the QEMU process
resulting
in DoS.

Upstream patch:
---------------
   -> https://lists.gnu.org/archive/html/qemu-devel/2018-12/msg02822.html

This issue was reported by Saar Amar.

Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

Current thread:

CVE-2018-20124 QEMU: rdma: OOB access when building scatter-gather array P J P (Dec 18)
- Re: CVE-2018-20124 QEMU: rdma: OOB access when building scatter-gather array saar amar (Dec 18)
  - Re: Re: CVE-2018-20124 QEMU: rdma: OOB access when building scatter-gather array Agostino Sarubbo (Dec 18)
  - Re: CVE-2018-20124 QEMU: rdma: OOB access when building scatter-gather array P J P (Dec 18)