Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 29 Dec 2015 01:33:52 -0500 (EST)
From: cve-assign@...re.org
To: ppandit@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, luodalongde@...il.com
Subject: Re: CVE request Qemu net: rocker: fix an incorrect array bounds check

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> Qemu emulator built with the Rocker switch emulation support is vulnerable to
> an off-by-one error. It happens while processing transmit(tx) descriptors in
> 'tx_consume' routine, if a descriptor was to have more than allowed
> (ROCKER_TX_FRAGS_MAX=16) fragments.
> 
> A privileged user inside guest could use this flaw to cause memory leakage on
> the host or crash the Qemu process instance resulting in DoS issue.
> 
> https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg04629.html
> https://bugzilla.redhat.com/show_bug.cgi?id=1286971

>> While processing transmit(tx) descriptors in 'tx_consume' routine
>> the switch emulator suffers from an off-by-one error, if a
>> descriptor was to have more than allowed(ROCKER_TX_FRAGS_MAX=16)
>> fragments. Fix an incorrect bounds check to avoid it.

Use CVE-2015-8701.

This is not yet available at
http://git.qemu.org/?p=qemu.git;a=history;f=hw/net/rocker/rocker.c but
that may be an expected place for a later update.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWgiicAAoJEL54rhJi8gl5xgMP/0m/6rggx4QjsM1bvTzJxs6T
VyoOVeWKJVqO2qMtl0eHwhsQZty8O26Qbyewqvt13551IjbYxbvHLZzo/wwN1b16
oiQjdsjSZyR+Uw3GYLmmEf2Np1EvRsvAO+wqOzhJ1I/ktbrP1V1Z7Zi6pt2HHDmq
jQaPvHv4jjd00bvmO6zWvrAPQZlwK5IWhQsB3QM9zZOBik95q9N2VstM6lLzMu2U
VlGa0CHW7VUtOiN8Bw+iBFXyv8ZAgrOrtMbgIwt6EjlYefuNOrVFhp9EEvNONegW
mOaj6Xucm44gVGO0NkHcH6XILFwdESs7T57pvqLlDbCOhVSZpX/Xq9PO+ZqiI3AD
7EpbV6tye2GodfvLtxOu0WKaHAbZRKK9ynWo3zVCOcsHDmS864w4eZZexj+fGgsg
dpY3c9j+otN1J+bgRaNGvKapQ0LrJAffXMk5iTb4233KF0/SSnmAMbU46lI/Sn7d
E6PGoHkosmPPQvjaNLf3BOetzKSO7cQj9CJ1Uen2RsuTHlJ3FoyAdUs5nk33Z96z
wiiHTl7duEtslr3mHq6xwynbgfDyPvlnrchMS8Q8NBUf2fUnKiDK6zdsiH3s14dh
QA8F6eDCEIxqGyKM0UMAYiUTcejx0NtZ5TFSTR5LCx+CmSbtm2wJhBiGOz4r797b
iCXQR5QRr2Ml8Zq6nk8/
=idCx
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.