Bug 1261889 - (CVE-2015-5261) CVE-2015-5261 spice: host memory access from guest using crafted images
CVE-2015-5261 spice: host memory access from guest using crafted images
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20151006,repo...
: Security
Depends On: 1259773 1262769 1262770 1262771 1267134
Blocks: 1260823
  Show dependency treegraph
 
Reported: 2015-09-10 07:58 EDT by Martin Prpič
Modified: 2015-10-15 13:34 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A heap-based buffer overflow flaw was found in the way SPICE handled certain guest QXL commands related to surface creation. A user in a guest could use this flaw to read and write arbitrary memory locations on the host.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-10-15 13:34:31 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Martin Prpič 2015-09-10 07:58:24 EDT
The following flaw was reported in spice:

It is possible for a guest issuing QXL commands to host to allow reading and writing host memory in a range of about 16-20gb.
The guest can create a surface very large (say 1000000 x 1000000). If width * height overflow the 32 bit and became a small number the host will accept the command and will create the surface. Now guest can copy areas of surfaces to access any area of memory covered by the image. Considering overflows, pixman implementation and image formats (32 bit, top-down or down-top) the range (the guest pass an offset into video memory for the start) the range if about +/- 8gb.
Comment 6 Martin Prpič 2015-10-06 04:27:00 EDT
Acknowledgements:

This issue was discovered by Frediano Ziglio of Red Hat.
Comment 10 errata-xmlrpc 2015-10-12 15:08:58 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1889 https://rhn.redhat.com/errata/RHSA-2015-1889.html
Comment 11 errata-xmlrpc 2015-10-12 16:21:14 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:1890 https://rhn.redhat.com/errata/RHSA-2015-1890.html

Note You need to log in before you can comment on or make changes to this bug.