[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Re: CVE request Qemu: hmp: stack based OOB write in hmp_sendkey routine
From:       cve-assign () mitre ! org
Date:       2015-12-23 0:02:11
Message-ID: 20151223000211.455E442E1D2 () smtpvbsrv1 ! mitre ! org
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> Qemu emulator built with the Human Monitor Interface(HMP) support is
> vulnerable to an OOB write issue. It occurs while processing 'sendkey' command
> in hmp_sendkey routine, if the command argument is longer than the
> 'keyname_buf' buffer size.
> 
> A user/process could use this flaw to crash the Qemu process instance
> resulting in DoS.
> 
> https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg02930.html
> https://bugzilla.redhat.com/show_bug.cgi?id=1283926

>> An OOB write issue was reported by Mr Ling Liu ... It occurs while
>> processing the 'sendkey' command, if the command argument was longer
>> than the 'keyname_buf[16]' buffer.

>> hmp: avoid redundant null termination of buffer

>> When processing 'sendkey' command, hmp_sendkey routine null
>> terminates the 'keyname_buf' array. This results in an OOB write
>> issue, if 'keyname_len' was to fall outside of 'keyname_buf' array.
>> Removed the redundant null termination, as pstrcpy routine already
>> null terminates the target buffer.

Use CVE-2015-8619.

This is not yet available at
http://git.qemu.org/?p=qemu.git;a=history;f=hmp.c but that
may be an expected place for a later update.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWeeQAAAoJEL54rhJi8gl5SqUP/jZ+NCSW5hsvkOvpcDPME24Q
JyWE7Gm5PesbYYNOMRIZjtNm3FZJWP0iKMxECyx71bksSXrnW1m2RcNus1wNxkif
UKuIRiGut2gTBIcMOKsVAKCfd7W705TJOMUEperMR8o2uKhcLQzkQ9VxrnOukIPR
jGNSCtBJT3cC2M8U1MFWnWiNErBPNrUKcRnf9ob2EtXEmM9t/nV9FMA/U8C6Ke10
i2WMJ7pbKaqxn+irai/d4MBqSKHn0caeTy5XYYPJuSMcUOw+yAocljUJkqqi456L
MxBUpY054DKqY15XpL7S1A/z/IXtvxs6eKRVIzJOvSskDDFVauJayNRi2A0w0wyM
aJ5HZPwBFPCOpCpz3nftG5UxdnxQtUDrO2BBu09T9d2Est1wCP+zxKAboUkG3SE2
+xixvZXTlqo8/f7qMVvZ58Hr1ieT5Gp5DD7AdK8wBmHlDTbGRXEAqgskgvbBZIjl
lkRpp9gXrpuiETyI08y5lxBd7Yu74f8WNxdNn5OR9Q3pWo6BPRBGRiqV5A0Z1lGB
dqV71TvYDxzphZF1bFyLV0x4L6F3XIShew1mOfD45M78Z531ZNJGo116HJiJulgB
yC+hfD8ctkaqAfHILIDuRug3oIYeD1jxqeSLixZS79ASGUtBrxnGO8eMU+ra0ZvQ
Tx6KxEwFW+HIMZvyyVdm
=BQ7m
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]