Bug 1422415 (CVE-2017-2630)

Summary: CVE-2017-2630 Qemu: nbd: oob stack write in client routine drop_sync
Product: [Other] Security Response Reporter: Prasad Pandit <ppandit>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: ailan, amit, apevec, areis, berrange, carnil, cfergeau, chrisw, coli, cvsbot-xmlrpc, drjones, dwmw2, eblake, imammedo, itamar, jen, jjoyce, jschluet, kbasil, knoel, lhh, lpeer, markmc, m.a.young, mkenneth, mrezanin, mst, pbonzini, rbryant, rjones, rkrcmar, sclewis, srevivo, tdecacqu, virt-maint, virt-maint, vkuznets, xen-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: qemu 2.9 Doc Type: Bug Fix
Doc Text:
A stack buffer overflow flaw was found in the Quick Emulator (QEMU) built with the Network Block Device (NBD) client support. The flaw could occur while processing server's response to a 'NBD_OPT_LIST' request. A malicious NBD server could use this issue to crash a remote NBD client resulting in DoS or potentially execute arbitrary code on client host with privileges of the QEMU process.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:07:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1425302    
Bug Blocks: 1420238    

Description Prasad Pandit 2017-02-15 09:47:11 UTC
Quick Emulator(Qemu) built with the Network Block Device(NBD) client support is
vulnerable to a stack buffer overflow issue. It could occur while processing
server's response to a 'NBD_OPT_LIST' request.

A malicious NBD server could use this issue to crash remote NBD client
resulting in DoS or potentially execute arbitrary code on client host with
privileges of the Qemu process.

Upstream patch:
---------------
  -> https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg01246.html

Reference:
----------
  -> http://www.openwall.com/lists/oss-security/2017/02/15/2

Comment 5 Eric Blake 2017-03-07 16:51:32 UTC
Latest upstream patch - hoping it will be merged for the release candidates
https://lists.gnu.org/archive/html/qemu-devel/2017-03/msg01455.html

Comment 6 Eric Blake 2017-03-15 20:50:30 UTC
Will be in qemu 2.9:

commit 2563c9c6b8670400c48e562034b321a7cf3d9a85
Author: Vladimir Sementsov-Ogievskiy <vsementsov>
Date:   Tue Mar 7 09:16:27 2017 -0600

    nbd/client: fix drop_sync [CVE-2017-2630]
    
    Comparison symbol is misused. It may lead to memory corruption.
    Introduced in commit 7d3123e.
    
    Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov>
    Message-Id: <20170203154757.36140-6-vsementsov>
    [eblake: add CVE details, update conditional]
    Signed-off-by: Eric Blake <eblake>
    Reviewed-by: Marc-André Lureau <marcandre.lureau>
    Message-Id: <20170307151627.27212-1-eblake>
    Signed-off-by: Paolo Bonzini <pbonzini>

Comment 9 errata-xmlrpc 2017-08-02 04:49:28 UTC
This issue has been addressed in the following products:

  RHEV 4.X RHEV-H and Agents for RHEL-7

Via RHSA-2017:2392 https://access.redhat.com/errata/RHSA-2017:2392