Bug 1225882 (CVE-2015-3209, xsa135)

Summary: CVE-2015-3209 qemu: pcnet: multi-tmd buffer overflow in the tx path
Product: [Other] Security Response Reporter: Petr Matousek <pmatouse>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abaron, acathrow, ailan, alonbl, aortega, apevec, areis, armbru, ayoung, bazulay, bmcclain, carnil, chrisw, dallan, dblechte, drjones, ecohen, fdeutsch, gklein, gkotton, gmollett, idith, iheim, imammedo, jen, knoel, lhh, lpeer, lsurette, markmc, michal.skrivanek, mkenneth, mrezanin, mst, pbonzini, ppandit, pstehlik, rbalakri, rbryant, rkrcmar, rpacheco, sclewis, security-response-team, stefanha, vkuznets, ycui, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A flaw was found in the way QEMU's AMD PCnet Ethernet emulation handled multi-TMD packets with a length above 4096 bytes. A privileged guest user in a guest with an AMD PCNet ethernet card enabled could potentially use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process.
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-26 17:42:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1225886, 1225887, 1225889, 1225890, 1225892, 1225893, 1225896, 1225898, 1227601, 1227602, 1230536, 1230537, 1230538    
Bug Blocks: 1225908    
Attachments:
Description Flags
Upstream patch none

Description Petr Matousek 2015-05-28 11:46:16 UTC
A flaw was found in the way QEMU's AMD PCnet Ethernet emulation handled multi-TMD packet with length above 4096 bytes. 4096 is the maximum length per TMD and it is also currently the size of the relay buffer pcnet driver uses for sending the packet data to QEMU for further processing. With packet spanning multiple TMDs it can happen that the overall packet size will be bigger than sizeof(buffer), which results in memory corruption.

A privileged guest user in a guest with AMD PCNet ethernet card enabled could potentially use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process.

Upstream fix:
-------------
  -> git.qemu.org/?p=qemu.git;a=commit;h=9f7c594c006289ad41169b854d70f5da6e400a2a


Acknowledgements:

Red Hat would like to thank Matt Tait of Google's Project Zero security team for reporting this issue.

Comment 2 Petr Matousek 2015-05-28 11:50:31 UTC
Created attachment 1031225 [details]
Upstream patch

7b50d00911ddd6d56a766ac5671e47304c20a21b commit is a prerequisite.

Comment 8 Petr Matousek 2015-05-28 12:03:41 UTC
Statement: 

This issue does not affect the versions of the qemu-kvm packages as shipped with Red Hat Enterprise Linux 7 as they do not enable the pcnet backend driver.

This issue does not affect the Red Hat Enterprise Linux 7 based versions of the qemu-kvm-rhev packages as shipped with Red Hat Enterprise Virtualization 3.

This issue affects the versions of the kvm and xen packages as shipped with Red Hat Enterprise Linux 5, the versions of the qemu-kvm packages as shipped with Red Hat Enterprise Linux 6, and the Red Hat Enterprise Linux 6 based versions of qemu-kvm-rhev packages as shipped with Red Hat Enterprise Virtualization 3. Future updates for the respective releases may address this flaw.

Please note that AMD PCNet adapter has to be explicitly enabled per-guest as it is not enabled in default configuration and is not supported by Red Hat in Red Hat Enterprise Linux 6 (for a list of supported devices please consult https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Virtualization_Administration_Guide/sect-whitelist-device-options.html).

Comment 13 Petr Matousek 2015-06-10 14:16:41 UTC
Upstream patch submission:

https://www.mail-archive.com/qemu-devel@nongnu.org/msg302403.html

Comment 14 errata-xmlrpc 2015-06-10 14:48:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1087 https://rhn.redhat.com/errata/RHSA-2015-1087.html

Comment 15 errata-xmlrpc 2015-06-10 15:00:27 UTC
This issue has been addressed in the following products:

  RHEV-H and Agents for RHEL-6

Via RHSA-2015:1088 https://rhn.redhat.com/errata/RHSA-2015-1088.html

Comment 16 errata-xmlrpc 2015-06-10 16:23:18 UTC
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 6

Via RHSA-2015:1089 https://rhn.redhat.com/errata/RHSA-2015-1089.html

Comment 17 Petr Matousek 2015-06-11 06:58:35 UTC
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1230537]

Comment 18 Petr Matousek 2015-06-11 06:58:41 UTC
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1230536]
Affects: epel-7 [bug 1230538]

Comment 19 Fedora Update System 2015-06-24 16:00:57 UTC
xen-4.5.0-11.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 20 Fedora Update System 2015-06-24 16:02:24 UTC
xen-4.4.2-6.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 21 Fedora Update System 2015-06-24 16:04:05 UTC
xen-4.3.4-6.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 22 errata-xmlrpc 2015-06-25 13:28:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5

Via RHSA-2015:1189 https://rhn.redhat.com/errata/RHSA-2015-1189.html

Comment 23 Fedora Update System 2015-08-18 05:16:37 UTC
qemu-2.3.1-1.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 24 Fedora Update System 2015-08-23 16:40:37 UTC
qemu-2.4.0-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 25 Fedora Update System 2015-09-01 07:26:35 UTC
qemu-2.1.3-9.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.