Bug 1609015 (CVE-2018-18438)

Summary: CVE-2018-18438 Qemu: Integer overflow in ccid_card_vscard_read() allows memory corruption
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: amit, apevec, areis, berrange, cfergeau, chrisw, dwmw2, itamar, jen, jforbes, jjoyce, jschluet, kbasil, knoel, lhh, lpeer, markmc, m.a.young, mburns, mkenneth, mrezanin, mst, pbonzini, philmd, ppandit, rbalakri, rbryant, rjones, robinlee.sysu, sclewis, security-response-team, slinaber, srevivo, tburke, tdecacqu, tohidi.arash, virt-maint, virt-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-05-03 16:26:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1640005, 1640006, 1640007, 1640008, 1640009, 1640010, 1640011, 1640012, 1640013, 1640019, 1640020    
Bug Blocks: 1613564    

Description Laura Pardo 2018-07-26 18:06:38 UTC
An integer overflow issue was found in the CCID Passthru card device emulation, while reading card data in ccid_card_vscard_read() function. The ccid_card_vscard_read() function accepts a signed integer 'size' argument, which is subsequently used as unsigned size_t value in memcpy(), copying large amounts of memory.

A user inside guest could use this flaw to crash the Qemu process resulting in DoS.

Upstream patch:
---------------
  -> https://lists.gnu.org/archive/html/qemu-devel/2018-10/msg02396.html

Reference:
----------
  -> https://www.openwall.com/lists/oss-security/2018/10/17/3

Comment 1 Laura Pardo 2018-07-26 18:06:53 UTC
Acknowledgments:

Name: Arash Tohidi

Comment 2 Arash Tohidi 2018-07-26 18:42:41 UTC
The overflowed argument in ccid_card_vscard_read() is "int size". Another memory corruption may happen if a specially crafted buffer is fed to buf which will be passed to  ccid_card_vscard_handle_message() and eventually will result in another memory overwrite by calling memcpy().

Comment 4 Prasad Pandit 2018-10-17 06:45:41 UTC
External References:

https://lists.gnu.org/archive/html/qemu-devel/2018-10/msg02396.html

Comment 6 Prasad Pandit 2018-10-17 07:19:55 UTC
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1640019]

Comment 11 Philippe Mathieu-Daudé 2019-05-03 16:26:09 UTC
The maintainer audited the code and can not find that memory corruption happens (see bug 1640020#c9).

Since there is no known reproducer (see bug 1640020#c7), all those issues have been closed as NOTABUG.

Comment 12 Doran Moppert 2020-06-17 06:14:10 UTC
Statement:

The maintainer audited the code and determined that no memory corruption is possible using this flaw. Patches were applied upstream to prevent future changes introducing such flaws, but the issues identified by this CVE were determined to not constitute a vulnerability.