Bug 1126543 (CVE-2014-5263)

Summary: CVE-2014-5263 qemu: missing field list terminator in vmstate_xhci_event
Product: [Other] Security Response Reporter: Petr Matousek <pmatouse>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: acathrow, amit.shah, areis, berrange, bsarathy, cfergeau, dwmw2, ehabkost, itamar, knoel, lersek, mkenneth, mrezanin, mtosatti, pbonzini, pmatouse, rhod, rjones, scottt.tw, stefanha, virt-maint, virt-maint, vkrizan
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-08-04 17:30:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1122147, 1145055    
Bug Blocks: 1124772    

Description Petr Matousek 2014-08-04 17:29:41 UTC
It was found that vmstate_xhci_event field list was missing
VMSTATE_END_OF_LIST() terminator and traversing through this list
would result in out-of-bounds access during vm state saving and
loading.

Depending on how vmstate_xhci_event is placed in the qemu binary,
this issue can range from non-issue, infinite loop to (potentially)
privilege escalation in case the we end up with fields that have info
and/or field_exist members initialized in a way that is useful for
exploitation (most probably unlikely).

In the worst case, attacker able to alter the migration data could
use this flaw to to corrupt QEMU process memory.

Upstream commit:
http://git.qemu.org/?p=qemu.git;a=commit;h=3afca1d6d413592c2b78cf28f52fa24a586d8f56

Comment 1 Petr Matousek 2014-08-04 17:30:17 UTC
Statement:

Not vulnerable.

This issue does not affect the versions of kvm package as shipped with
Red Hat Enterprise Linux 5 and versions of qemu-kvm package as shipped with
Red Hat Enterprise Linux 6 because they did not backport the commit that
introduced this issue.

This issue does not affect the versions of qemu-kvm package as shipped with
Red Hat Enterprise Linux 7 because the layout of qemu-kvm binary does not
allow successful exploitation of this flaw.

Comment 4 Murray McAllister 2014-08-18 02:21:12 UTC
MITRE assigned CVE-2014-5263 to this issue:

http://seclists.org/oss-sec/2014/q3/382