oss-sec mailing list archives
Re: CVE request Qemu: 9pfs: integer overflow leading to OOB access
From: <cve-assign () mitre org>
Date: Sun, 30 Oct 2016 15:42:59 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Quick Emulator(Qemu) built with the VirtFS, host directory sharing via Plan 9 File System(9pfs) support, is vulnerable to an integer overflow issue. It could occur by accessing xattributes values. A privileged user inside guest could use this flaw to crash the Qemu process instance resulting in DoS. https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg02942.html
Fix this by comparing the offset and the xattr size, which are both uint64_t, before trying to compute the effective number of bytes to read or write.
Use CVE-2016-9104. This is not yet available at http://git.qemu.org/?p=qemu.git;a=history;f=hw/9pfs/9p.c but that may be an expected place for a later update. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJYFkuAAAoJEHb/MwWLVhi2fJwQAKH7JgohXVJh8HsReYgIUaBD pa9ceIq+t77Ddd8uS0N7srXQnZCXTkM+PKxKLW2cvBtZviUvF0wYCuoUIR3dh66e L9otE6tlEUQIMSXFuzWsUNhxQfQRYhdU1x9PuraPdcFSHE881xm9UWkg4L7PXcrL m2YS9A2kxniOjVTEWgv/Wt7Ay/hbzKX++asyBq1MomGeKQooy279xgU+C9oly8mV Zs6jdxpKcOElyC7qAW9Bn0jQ5FN10mWIBWX6C38MjjpGrtxKJS87gPpz/j2BKNTZ +JoqjDimpbEvv7PXUXMBzLa19lkJmQS9pAvbnvcVyG7IcAwBCLLP0s0Uvldmd6vX 2vh/vSrQ2TTktZYxhEy0CMgn5+viynrF0nMZHs2Oc//XS2dsdk/EGsRb9J7q/Oma UX1QGfJ/mPekHKhT8uprlpOb2IQKQX6w+GnTWexqWpbT5E/CCsuIHtiYtOxvMCAJ qHpXE1apcW66f6lNpGu4W2KDQ+4QZoK8wk7Eo+s36QqYuPO4K0C1h/jJoGvqqcoj byN7na2s/ZgGukxK4XOEbIpVxOuJhskf4OuXo1bz4pBhhAo8qtMf4w5bA9j5m0kJ Q/V2lN9fiK3CewzS0kLCarid7HRBAHqlETG+5ULKZvfJOFu9Mu3FrGSZGKDYCnAP lxrzglHL0JsqKlqwaY5U =ja9u -----END PGP SIGNATURE-----
Current thread:
- CVE request Qemu: 9pfs: integer overflow leading to OOB access P J P (Oct 28)
- Re: CVE request Qemu: 9pfs: integer overflow leading to OOB access cve-assign (Oct 30)