Bug 1366369 (CVE-2016-6836)

Summary: CVE-2016-6836 Qemu: net: vmxnet: Information leakage in vmxnet3_complete_packet
Product: [Other] Security Response Reporter: Prasad Pandit <ppandit>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: ASSIGNED --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: ailan, amit.shah, berrange, carnil, cfergeau, crobinso, dwmw2, imammedo, itamar, jen, knoel, m.a.young, mkenneth, mrezanin, mst, pbonzini, ppandit, rjones, virt-maint, virt-maint, vkuznets, xen-maint
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Quick Emulator (QEMU) built with the VMWARE VMXNET3 NIC device support is vulnerable to an information leakage issue. The vulnerability could occur while processing the transmit(tx) queue when it reaches the end of a packet. A privileged user inside guest could use this vulnerability to leak host memory bytes to a guest.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-12-21 13:01:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1366370, 1398132, 1398133, 1398134, 1398135, 1398136, 1398137, 1398138, 1398139, 1398140, 1398141    
Bug Blocks: 1346338, 1370384    

Description Prasad Pandit 2016-08-11 19:15:54 UTC 
Quick Emulator(Qemu) built with the VMWARE VMXNET3 NIC device support
is vulnerable to an information leakage issue. It could occur while
processing transmit(tx) queue, when it reaches the end of packet.

A privileged user inside guest could use this leak host memory bytes
to a guest.

Upstream patch:
---------------
  -> git.qemu.org/?p=qemu.git;a=commit;h=fdda170e50b8af062cf5741e12c4fb5e57a2eacf

Reference:
----------
  -> http://www.openwall.com/lists/oss-security/2016/08/18/5
Comment 1 Prasad Pandit 2016-08-11 19:16:18 UTC 
Acknowledgments:

Name: Li Qiang (Qihoo 360 Inc.)
Comment 2 Prasad Pandit 2016-08-11 19:17:07 UTC 
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1366370]
Comment 3 Adam Mariš 2016-08-19 07:19:20 UTC 
CVE assignment:

http://seclists.org/oss-sec/2016/q3/311
Comment 8 Paolo Bonzini 2016-12-15 17:06:10 UTC 
The bug does not affect neither RHEL nor OpenStack.
Comment 11 Wei 2016-12-21 14:12:58 UTC 
The source code file for this BZ is not got compiled for all RHEL repository, so we won't suffer this vulnerability potentially.