Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 21 Jan 2016 20:57:17 -0500 (EST)
From: cve-assign@...re.org
To: ppandit@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, lersek@...hat.com
Subject: Re: CVE request Qemu: net: e1000 infinite loop in start_xmit and e1000_receive_iov routines

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> Qemu emulator built with the e1000 NIC emulation support is vulnerable to an
> infinite loop issue. It could occur while processing data via transmit or
> receive descriptors, provided the initial receive/transmit descriptor
> head(TDH/RDH) is set outside the allocated descriptor buffer.
> 
> A privileged user inside guest could use this flaw to crash the Qemu instance
> resulting in DoS.
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1298570
> https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg03454.html

>> What both directions miss is that the guest could program TDLEN and RDLEN
>> so low, and the initial TDH and RDH so high, that these registers will
>> immediately be truncated to zero, and then never reassume their initial
>> values in the loop -- a full wraparound will never occur.

>> i.e., TDH or RDH start out after the last whole rx or tx descriptor that
>> fits into the TDLEN or RDLEN sized area.

Use CVE-2016-1981.

This is not yet available at
http://git.qemu.org/?p=qemu.git;a=history;f=hw/net/e1000.c but
that may be an expected place for a later update.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWoYr+AAoJEL54rhJi8gl5nWkP/RME1UtFdyDgcAJIQm1H06jB
XaPffjyISNyiTDLOFBO+5be6yON1SLrZCHcatbSoGO0acCU0a9A1L3xwUFVKIokE
yoU/oAF939VC+bE/aFsd6psR3Jy9IskODQn6wWE5kL0gz71xWrJWdna7mm5ysqZQ
aM9I2tYaUtZs9C7QWglvojrMVMUTjmS5Ta2vvUCzSoyZHtMjZ1s2nkBeVk/OLUmi
jE9h2TtEujSkROHKCqFrMHOzrZcUZax8nXC2OoJ+U92/uWLnVwUPnAKnLVuepjfO
hpqFlW/ohFtDa5ymEavZDGbxQf0aR/AeHbJeNvLEI05hktt1/0y+IgoilfDPx9HD
mhQE+L/rW3GVA1soCPv6FABHD4Gb6W50IFfssE9HHjqoLNHNynVUfgSXod20WNyd
4hoaYcHvHKqKJ3eVKItmMwHtJHxLvtBPoQHObQaHdp0QQ23KloXbc9q4zrnQ+IfV
ueK+pSahmfChammbzkQIIv9UVgtVhWeTp5u6VByO8QUo82osTudMUmkEjFgeBjjq
65dE+RUhdxpRTKXBRYNLDBS5t3Tnb5Y8d3M9TpX0saZhFyhe0HvrW25w17MK0TtI
dQ1T6A0B/GrDArTVzyucn4hUeyuTEBK0EtHADe3Y7DfRhYgL8kh3nlWBVxmGxnYp
ArvGC+n7c3hDqtkK9ZQs
=pZgV
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.