Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue,  6 Sep 2016 20:54:43 -0400 (EDT)
From: cve-assign@...re.org
To: ppandit@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, liqiang6-s@....cn
Subject: Re: CVE request: Qemu: scsi: pvscsi: infintie loop when building SG list

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> Quick Emulator(Qemu) built with the VMWARE PVSCSI paravirtual SCSI bus
> emulation support is vulnerable to an infinite loop issue. It could occur
> while processing an IO request descriptor, building SG list.
> 
> A privileged user inside guest could use this flaw to crash the Qemu process
> resulting in DoS.
> 
> https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg00772.html
> https://bugzilla.redhat.com/show_bug.cgi?id=1373478

>> In PVSCSI paravirtual SCSI bus, the request descriptor data
>> length is defined to be 64 bit. While building SG list from
>> a request descriptor, it gets truncated to 32bit in routine
>> 'pvscsi_convert_sglist'. This could lead to an infinite loop
>> situation for arbitrarily large 'dataLen' values. Check
>> SG list element count to avoid  it.

Use CVE-2016-7156.

This is not yet available at
http://git.qemu.org/?p=qemu.git;a=history;f=hw/scsi/vmw_pvscsi.c but
that may be an expected place for a later update.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXz2NGAAoJEHb/MwWLVhi2qM8P+gKKm8ns+cMWH6cCcT+M7Izh
G3uH1T2Kgz+8JhXDAKAyYrCnPXFkrAHULGX8RYmZJ8pDeKpNfqcF6NIz8TqaF+e2
1HHDKX7NsSn3ODL3KI0JdAq1nfQ4leut0h+6OQnAbUAVJJGplWNPfRd2eIqfOUHv
/Ew51J6R6oEaVV/+QL8PYNz/7U2MbmlrH56Pj4v3pqzeEc4MJgkX5EcGc01n/vZd
/ir6HjirzTajWsAoOZqRiQ9euentjOGwsTPIxCQ4v+MKWFdU+AdMonpoKic6dQj+
IuVQA0y59pkcXxfcWOhGghanCYh3hvnrSWUtL/PDeUSufyAwKJaVoo/IPKtwZVMW
PrsaxfPTzlYzwHc0usJPuMWjEytf9mWNU0jX/84tMNakTFLYXcCsAl9tH5iHmiVp
MIvAACVTQSQ7qx6s4UTz5PLbln1kZ3E5ZsXEv5rTZktwQ+2FDl31nuNLKZckYxKw
6bz4BHFO0FYmFU0TNjVIGfOypGh4ctX1N4pj9tAx87fk7+qT+LXDeNUztkW0nsdM
7zMI193LH+SzTcDH0B7Fkyeg2K8CmqPnctaRdhHo/man9i/MEZUiYn3Skk+AhJd/
yr3bwK5I1stfSSglp+uzjzLNZUQmg9sOA0aJrCddaQzyiNitusVDSCW6AKruBzln
1pxmVAwD3Eyefat/NQi8
=DZ2t
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.