Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 15 Dec 2015 13:13:39 -0500 (EST)
From: cve-assign@...re.org
To: ppandit@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, luodalongde@...il.com
Subject: Re: CVE request Qemu: net: vmxnet3: host memory leakage

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> Qemu emulator built with a VMWARE VMXNET3 paravirtual NIC emulator support is
> vulnerable to a memory leakage flaw. It occurs when a guest repeatedly tries
> to activate the vmxnet3 device.
> 
> A privileged guest user could use this flaw to leak host memory, resulting in
> DoS on the host.
> 
> https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg02299.html

>> Vmxnet3 device emulator does not check if the device is active
>> before activating it, also it did not free the transmit & receive
>> buffers while deactivating the device, thus resulting in memory
>> leakage on the host. This patch fixes both these issues to avoid
>> host memory leakage.

This is not yet available at
http://git.qemu.org/?p=qemu.git;a=history;f=hw/net/vmxnet3.c but that
may be an expected place for a later update.

"does not check if the device is active before activating it" seems to
be similar to a CWE-372 ("Incomplete Internal State Distinction")
issue. Use CVE-2015-8567 for this aspect of the report.

"did not free the transmit & receive buffers while deactivating" seems
to be similar to a CWE-772 ("Missing Release of Resource after
Effective Lifetime") issue. Use CVE-2015-8568 for this aspect of the
report.


>> I've added a check in vmxnet3_deactivate_device() to avoid double free.

We think this may mean that the double free existed only in an early
version of the patch, and did not exist in any shipped QEMU code.
There is no CVE ID for the double free.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWcFaHAAoJEL54rhJi8gl5ehYP/0xjfZb8tF5OVXvfjx+KIxue
pVYd4nId6wld+KSXED7qnLxVimc87zRiTq8tcezOUqRnzqtRq69i7r95MspsfTLX
rf69q7lHPrci30a1lM2+CEz2H8FP07SMLAzibvKtZ+pQfeZ2IrdLbXs8dnHZ5oAw
Jcy/7NKa3FcV8GU8+A9Fa34T6P3frmcOBLmCHuduyRNx98IFNC+SI7y9Z2lxp7LC
m8SWQ1zELRbg/hqNmzaiADxyrlIZHzMosqAZuq8fRsrT4YwEp0ls93RSxV2Ix3Gb
OfO99e8eC50IK2hVisJeXDvB08SGXkUOqxkwAtfVhk6PeomqmqDqrcJ4bkj5udq9
xnzquGlJNbVvWwpA9DOkP3GPyngtfTGa85DNtK8b5I0p0ocl37NyMT8PSi81GdVZ
KdRgfWxOpThfudPSSn+S+dRHFFjelwO6/nVPLy3Yw/DOzlACZytrGfD76XAdbs2h
79rj4snSvHTI17D59dz5FddJwdGn34SF+BSxURcgBeddnP7zyeQKM5lECoG71uCa
bL+gA0stcjE9Kmo8+JK8U9VCV5SJJ75n20uMfgP/PXK4llpocwdiBaHR2o7n5Saq
wMJyeVbHlwfH4MNENEQ+YA9SlF9KpxBTfZla5BU+HbHq2/QZi0Tjd8m9pZFZvASS
Kn4Qv+X11/Hhe2eal2//
=Egny
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.