Bug 1821180 (CVE-2020-11102)

Summary: CVE-2020-11102 QEMU: tulip: OOB access in tulip_copy_tx_buffers
Product: [Other] Security Response Reporter: Prasad Pandit <ppandit>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: amit, berrange, cfergeau, dbecker, dwmw2, itamar, jen, jferlan, jjoyce, jmaloy, jschluet, kbasil, knoel, lhh, lpeer, mburns, mkenneth, mrezanin, mst, pbonzini, ribarry, rjones, sclewis, slinaber, virt-maint, virt-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: qemu-5.0.0 Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds access flaw was found in the Tulip NIC emulator built into QEMU. This flaw occurs while copying network data to and from its tx/rx frame buffers, as it does not check frame size against the data length. This flaw allows a remote user or process to crash the QEMU process, resulting in a denial of service or the potential execution of arbitrary code with the privileges of the QEMU process on the host.
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-06 10:32:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1821564    
Bug Blocks: 1787539    

Description Prasad Pandit 2020-04-06 08:59:57 UTC
An out-of-bounds access issue was found in the Tulip NIC emulator built into QEMU.
It could occur while copying network data to/from its tx/rx frame buffers, as it
does not check frame size against the data length.

A remote user/process could use this flaw to crash the QEMU process resulting in Dos
OR potentially execute arbitrary code with the privileges of the QEMU process on the host.

Upstream patch:
---------------
  -> https://git.qemu.org/?p=qemu.git;a=commit;h=8ffb7265af64ec81748335ec8f20e7ab542c3850

Reference:
----------
  -> https://www.openwall.com/lists/oss-security/2020/04/06/1

Comment 1 Prasad Pandit 2020-04-06 10:08:12 UTC
Acknowledgments:

Name: Ziming Zhang, Li Qiang (Tianchen Security Lab of Ant Financial)

Comment 2 Prasad Pandit 2020-04-06 10:08:19 UTC
Statement:

This issue does not affect the versions of the qemu-kvm package as shipped with Red Hat Enterprise Linux 6, 7 and 8.

Comment 3 Product Security DevOps Team 2020-04-06 10:32:23 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-11102

Comment 5 Prasad Pandit 2020-04-07 05:26:21 UTC
Created qemu tracking bugs for this issue:

Affects: fedora-rawhide [bug 1821564]