Bug 1712834 (CVE-2019-12247)

Summary: CVE-2019-12247 QEMU: qemu-guest-agent: integer overflow while running guest-exec command
Product: [Other] Security Response Reporter: Prasad J Pandit <ppandit>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: ailan, amit, areis, berrange, cfergeau, dbecker, dwmw2, itamar, jen, jferlan, jforbes, jjoyce, jschluet, kbasil, knoel, lhh, lpeer, marcandre.lureau, m.a.young, mburns, mkenneth, mrezanin, mst, pbonzini, rbalakri, ribarry, rjones, robinlee.sysu, sclewis, slinaber, virt-maint, virt-maint, vrozenfe
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-05-31 07:16:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1712835, 1712836, 1712837, 1712844, 1712846, 1712847    
Bug Blocks: 1608556    

Description Prasad J Pandit 2019-05-22 10:54:55 UTC
An integer overflow issue was found in the QEMU Guest Agent in QEMU,
while reading argument list passed to the 'guest-exec' qmp command.
An attacker could exploit this by sending a crafted QMP command to
the agent via a listening socket to trigger the overflow. It may
crash the QEMU guest agent, resulting in DoS.

Upstream patch:
---------------
  -> https://lists.gnu.org/archive/html/qemu-devel/2019-05/msg04596.html

Reference:
----------
  -> https://www.openwall.com/lists/oss-security/2019/05/22/4

Comment 1 Prasad J Pandit 2019-05-22 10:55:01 UTC
Acknowledgments:

Name: Guoxiang Niu (huawei.com)

Comment 2 Prasad J Pandit 2019-05-22 10:57:36 UTC
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1712836]

Comment 8 Prasad J Pandit 2019-05-31 07:16:38 UTC
This one turned out to be a non-issue. Number of command-line arguments
are capped by

  -> https://lists.gnu.org/archive/html/qemu-devel/2019-05/msg05457.html

QMP JSON parser to MAX_TOKEN_COUNT (2ULL << 20). It helps to avoid the said
integer overflow issue.

Closing this as notabug.

Comment 9 Doran Moppert 2020-02-11 00:32:05 UTC
Statement:

Red Hat Product Security determined that this flaw was not a security vulnerability. See the Bugzilla link for more details.