Bug 1297416

Summary: qemu: stack-based buffer overflow in gem_receive()
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abaron, ailan, aortega, apevec, areis, ayoung, chrisw, dallan, drjones, gkotton, imammedo, jen, jschluet, knoel, lhh, lpeer, markmc, mkenneth, mrezanin, mst, pbonzini, ppandit, rbalakri, rbryant, rkrcmar, sclewis, security-response-team, tdecacqu, vkuznets, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-01-14 16:14:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1297427    

Description Martin Prpič 2016-01-11 13:21:02 UTC 
A stack-based buffer overflow flaw was found in QEMU's gem_receive() function.

When GEM_NWCFG_STRIP_FCS was not set, gem_receive() would copy packet data to rxbuf[2048], resulting in a buffer overflow if the length of a packet was more than 2048.

Acknowledgements:

Red Hat would like to thank Ling Liu of Qihoo 360 Inc. for reporting this issue.
Comment 1 Prasad Pandit 2016-01-14 16:11:14 UTC 
This turned out to be a security non-issue.
  -> https://bugzilla.redhat.com/show_bug.cgi?id=1297427#c3