Bug 1853725 (CVE-2020-15863)

Summary: CVE-2020-15863 QEMU: stack-based overflow in xgmac_enet_send() in hw/net/xgmac.c
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: ailan, amit, berrange, cfergeau, dbecker, drjones, dwmw2, imammedo, itamar, jen, jferlan, jforbes, jjoyce, jmaloy, jschluet, kbasil, knoel, lhh, lkundrak, lpeer, m.a.young, mburns, mkenneth, mrezanin, mst, pbonzini, ribarry, rjones, robinlee.sysu, sclewis, security-response-team, slinaber, virt-maint, virt-maint, vkuznets, xen-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: QEMU 5.1.0-rc1 Doc Type: If docs needed, set a value
Doc Text:
A buffer overflow vulnerability was found in the XGMAC Ethernet controller of the QEMU emulator. This flaw occurs during packet transmission and affects the highbank and midway emulated machines. A guest user or process could use this flaw to crash the QEMU process on the host, resulting in a denial of service or potential code execution with the privileges of the QEMU process.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-07-21 13:28:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1859107, 1859106, 1859108, 1910684    
Bug Blocks: 1846064    

Description Mauro Matteo Cascella 2020-07-03 16:58:50 UTC 
A buffer overflow vulnerability was found in the XGMAC device of the QEMU emulator. XGMAC is an Ethernet controller used by the "highbank" and "midway" ARM emulated machines. The flaw lies in the xgmac_enet_send() function in hw/net/xgmac.c. Under certain circumstances, this may lead to a denial of service condition or potential code execution.

Upstream patch:
---------------
  -> https://git.qemu.org/?p=qemu.git;a=commit;h=5519724a13664b43e225ca05351c60b4468e4555
Comment 1 Mauro Matteo Cascella 2020-07-03 16:58:52 UTC 
Acknowledgments:

Name: Ziming Zhang (Codesafe Team of Legendsec at Qi'anxin Group)
Comment 2 Mauro Matteo Cascella 2020-07-06 13:08:46 UTC 
Statement:

The XGMAC device can only be found on highbank and midway QEMU ARM emulated machines. This flaw did not affect the following versions of QEMU as they did not include support for XGMAC:
* `qemu-kvm-ma` as shipped with Red Hat Enterprise Linux 7.
* `qemu-kvm-rhev` as shipped with Red Hat Virtualization and Red Hat OpenStack.
* `qemu-kvm` as shipped with Red Hat Enterprise Linux 6, 7 and 8.
* `virt:8.2/qemu-kvm` as shipped with RHEL Advanced Virtualization.
Comment 3 Mauro Matteo Cascella 2020-07-21 09:36:48 UTC 
Created qemu tracking bugs for this issue:

Affects: epel-7 [bug 1859107]
Affects: fedora-all [bug 1859106]


Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1859108]