Bug 1417559 (CVE-2017-5667)

Summary: CVE-2017-5667 Qemu: sd: sdhci OOB access during multi block SDMA transfer
Product: [Other] Security Response Reporter: Prasad Pandit <ppandit>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ailan, amit.shah, apevec, areis, ayoung, berrange, cfergeau, chrisw, cvsbot-xmlrpc, drjones, dwmw2, imammedo, itamar, jen, jjoyce, jschluet, kbasil, knoel, lhh, lpeer, markmc, m.a.young, mkenneth, mrezanin, mst, pbonzini, rbryant, rjones, rkrcmar, sclewis, srevivo, tdecacqu, virt-maint, virt-maint, vkuznets, xen-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:06:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1417560    
Bug Blocks: 1401602    

Description Prasad Pandit 2017-01-30 09:36:43 UTC 
Quick emulator(Qemu) built with the SDHCI device emulation support is vulnerable
to an OOB heap access issue. It could occur while doing a multi block SDMA
transfer via sdhci_sdma_transfer_multi_blocks routine.

A privileged user inside guest could use this flaw to crash the Qemu process
resulting in DoS or potentially execute arbitrary code with privileges of the
Qemu process on the host.

Upstream patch:
---------------
  -> https://lists.gnu.org/archive/html/qemu-devel/2017-01/msg06191.html

Reference:
----------
  -> http://www.openwall.com/lists/oss-security/2017/01/30/2
Comment 1 Prasad Pandit 2017-01-30 09:38:11 UTC 
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1417560]
Comment 2 Prasad Pandit 2017-01-30 09:42:18 UTC 
Acknowledgments:

Name: Jiang Xin (Huawei PSIRT)