Bug 1270871 (CVE-2015-8744)

Summary: CVE-2015-8744 Qemu: net: vmxnet3: incorrect l2 header validation leads to a crash via assert(2) call
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abaron, acathrow, apevec, areis, ayoung, bmcclain, chrisw, dallan, dblechte, gkotton, idith, jen, jschluet, knoel, lhh, lpeer, markmc, michal.skrivanek, mkenneth, mrezanin, mst, pbonzini, ppandit, rbryant, sclewis, security-response-team, slong, srevivo, tdecacqu
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A reachable-assertion flaw was found in the QEMU emulator built with VMWARE-VMXNET3 paravirtualized NIC emulator support. The flaw occurs if a guest sends a Layer-2 packet that was smaller than 22 bytes. A privileged (CAP_SYS_RAWIO) guest user could exploit this flaw to crash the QEMU process instance, resulting in denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:44:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1295440, 1295441    
Bug Blocks: 1270878    
Attachments:
Description Flags
Patch none

Description Adam Mariš 2015-10-12 14:54:16 UTC 
Qemu emulator built with a VMWARE VMXNET3 paravirtual NIC emulator support is
vulnerable to crash issue. It occurs when a guest sends a Layer-2 packets smaller than 22 bytes.

A privileged(CAP_SYS_RAWIO) guest user could use this flaw to crash the Qemu process instance resulting in DoS.

Upstream patch:
---------------
  -> http://git.qemu.org/?p=qemu.git;a=commitdiff;h=a7278b36fcab9af469563bd7b

Reference:
----------
  -> http://www.openwall.com/lists/oss-security/2016/01/04/6
Comment 1 Adam Mariš 2015-10-12 14:57:48 UTC 
Created attachment 1082030 [details]
Patch
Comment 2 Paolo Bonzini 2015-10-19 09:59:21 UTC 
RHEL and RHEV QEMU is not affected because it doesn't ship the vmx device.
Comment 3 Prasad Pandit 2016-01-04 13:07:58 UTC 
Statement: 

This issue does not affect the versions of the kvm and xen packages as shipped with Red Hat Enterprise Linux 5.

This issue does not affect the versions of the qemu-kvm packages as shipped with Red Hat Enterprise Linux 6, and the Red Hat Enterprise Linux 6 based versions of qemu-kvm-rhev packages as shipped with Red Hat Enterprise Virtualization 3.

This issue does not affect the versions of the qemu-kvm packages as shipped with Red Hat Enterprise Linux 7.

This issue does not affect the Red Hat Enterprise Linux 7 based versions of the qemu-kvm-rhev packages as shipped with Red Hat Enterprise Virtualization 3.
Comment 4 Prasad Pandit 2016-01-04 14:00:26 UTC 
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1295441]
Comment 5 Prasad Pandit 2016-01-04 14:00:42 UTC 
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1295440]
Comment 7 Fedora Update System 2016-01-12 07:54:32 UTC 
qemu-2.4.1-5.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2016-01-19 23:54:42 UTC 
qemu-2.3.1-10.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2016-01-28 18:24:11 UTC 
xen-4.5.2-7.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2016-02-01 06:29:19 UTC 
xen-4.5.2-7.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.