Bug 1297426

Summary: qemu: stack-based buffer overflow in gem_transmit()
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abaron, ailan, aortega, apevec, areis, ayoung, chrisw, dallan, drjones, gkotton, imammedo, jen, jschluet, knoel, lhh, lpeer, markmc, mkenneth, mrezanin, mst, pbonzini, ppandit, rbalakri, rbryant, rkrcmar, sclewis, security-response-team, tdecacqu, vkuznets, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-01-14 16:14:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1297427    
Attachments:
Description Flags
proposed patch none

Description Martin Prpič 2016-01-11 13:37:11 UTC 
A stack-based buffer overflow flaw was found in QEMU's gem_transmit() function.

The gem_transmit() function reads length of packet from physical memory then reads packet from physical memory to tx_packet[2048] with this length. This may result in a buffer overflow if the length of the packet is more than 2048.

Acknowledgements:

Red Hat would like to thank Ling Liu of Qihoo 360 Inc. for reporting this issue.
Comment 1 Martin Prpič 2016-01-11 13:39:20 UTC 
Created attachment 1113613 [details]
proposed patch
Comment 2 Prasad Pandit 2016-01-14 16:12:08 UTC 
This turned out to be a security non-issue.
  -> https://bugzilla.redhat.com/show_bug.cgi?id=1297427#c3