Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat,  9 Jan 2016 08:57:03 -0500 (EST)
From: cve-assign@...re.org
To: ppandit@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, luodalongde@...il.com
Subject: Re: Qemu: ide: ahci use-after-free vulnerability in aio port commands

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> Qemu emulator built with the IDE AHCI Emulation support is vulnerable to a use
> after free(kind of) issue. It could occur after processing AHCI Native Command
> Queuing(NCQ) AIO commands.
> 
> A privileged user inside guest could use this flaw to crash the Qemu process
> instance or might potentially execute arbitrary code with privileges of the
> Qemu process on the host.
> 
> https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg01184.html
> https://bugzilla.redhat.com/show_bug.cgi?id=1288532

>> when the NCQ
>> command is invalid, the 'aiocb' object is not assigned, and NCQ
>> transfer object is left as 'used'. This leads to a use after
>> free kind of error in 'bdrv_aio_cancel_async' via 'ahci_reset_port'.
>> Reset NCQ transfer object to 'unused' to avoid it.

Use CVE-2016-1568.

This is not yet available at
http://git.qemu.org/?p=qemu.git;a=history;f=hw/ide/ahci.c but
that may be an expected place for a later update.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWkRD7AAoJEL54rhJi8gl5S1YP/2Nj8+B8iR1aFHR0GXUCsCWk
nKQYEphcDT0iyFkJ+1iazUA/72yIYp3U+wQaC5BpkUlT+KSWRKoSDCypjTKfXKUn
HwfAsrio3NAtnpJTapalqVWN4i9fUrzCrRdMDHO+4qgxk/ph0gjxnrGldMhKN7Sz
BTVqrY802SUFfHcKyX8Mdk7ixqq0V+grix0qRUd5q5cwrGgLsmNyWygU6gHz6rNR
UfB2ZQLAbybR7nUcdmYFv4oTfc4voCerLS2cWP/KGmput4vnBoZvNgkXxSysTVBE
dg54hk0xMQJzOjrec05M99wQ0kK7nhIvPyIF6D0zz3aBCJ6gyYHhipfl4skxoGNn
RE5ljb4483sbyLFBqzj9SmrDbdiPN+1aN8dbh2yelLP5y1ccMwOXxyY3vfxiXbyy
qsVdyO0dEA9A2s7OsSbROTwR/wHuT6PYyUOxgWx/0+waj/NuwC+znpKjgILoV7Hv
fGkRtIDGH1UhnlfUlweIKAKnpCYFuJpZhrnDc9Ldtzagw7eveIDUlXjgAE/E/vmc
+7ySSt2T6d6+J7vDqCyyfjVTSbIaC4EGlpxnAOdLnPf0cFUPxZfPytJLGUthzRpA
FUMVK8yNErYQEu8T07rfDXbPvk5lJoxPpoC4M1Wfkco33z1EeA03ic0W+dVnRfCC
VTZRXik6y0D06HcjIrRp
=iYts
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ