Date: Tue, 15 Dec 2015 13:13:39 -0500 (EST) From: cve-assign@...re.org To: ppandit@...hat.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, luodalongde@...il.com Subject: Re: CVE request Qemu: net: vmxnet3: host memory leakage -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > Qemu emulator built with a VMWARE VMXNET3 paravirtual NIC emulator support is > vulnerable to a memory leakage flaw. It occurs when a guest repeatedly tries > to activate the vmxnet3 device. > > A privileged guest user could use this flaw to leak host memory, resulting in > DoS on the host. > > https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg02299.html >> Vmxnet3 device emulator does not check if the device is active >> before activating it, also it did not free the transmit & receive >> buffers while deactivating the device, thus resulting in memory >> leakage on the host. This patch fixes both these issues to avoid >> host memory leakage. This is not yet available at http://git.qemu.org/?p=qemu.git;a=history;f=hw/net/vmxnet3.c but that may be an expected place for a later update. "does not check if the device is active before activating it" seems to be similar to a CWE-372 ("Incomplete Internal State Distinction") issue. Use CVE-2015-8567 for this aspect of the report. "did not free the transmit & receive buffers while deactivating" seems to be similar to a CWE-772 ("Missing Release of Resource after Effective Lifetime") issue. Use CVE-2015-8568 for this aspect of the report. >> I've added a check in vmxnet3_deactivate_device() to avoid double free. We think this may mean that the double free existed only in an early version of the patch, and did not exist in any shipped QEMU code. There is no CVE ID for the double free. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJWcFaHAAoJEL54rhJi8gl5ehYP/0xjfZb8tF5OVXvfjx+KIxue pVYd4nId6wld+KSXED7qnLxVimc87zRiTq8tcezOUqRnzqtRq69i7r95MspsfTLX rf69q7lHPrci30a1lM2+CEz2H8FP07SMLAzibvKtZ+pQfeZ2IrdLbXs8dnHZ5oAw Jcy/7NKa3FcV8GU8+A9Fa34T6P3frmcOBLmCHuduyRNx98IFNC+SI7y9Z2lxp7LC m8SWQ1zELRbg/hqNmzaiADxyrlIZHzMosqAZuq8fRsrT4YwEp0ls93RSxV2Ix3Gb OfO99e8eC50IK2hVisJeXDvB08SGXkUOqxkwAtfVhk6PeomqmqDqrcJ4bkj5udq9 xnzquGlJNbVvWwpA9DOkP3GPyngtfTGa85DNtK8b5I0p0ocl37NyMT8PSi81GdVZ KdRgfWxOpThfudPSSn+S+dRHFFjelwO6/nVPLy3Yw/DOzlACZytrGfD76XAdbs2h 79rj4snSvHTI17D59dz5FddJwdGn34SF+BSxURcgBeddnP7zyeQKM5lECoG71uCa bL+gA0stcjE9Kmo8+JK8U9VCV5SJJ75n20uMfgP/PXK4llpocwdiBaHR2o7n5Saq wMJyeVbHlwfH4MNENEQ+YA9SlF9KpxBTfZla5BU+HbHq2/QZi0Tjd8m9pZFZvASS Kn4Qv+X11/Hhe2eal2// =Egny -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ