1261889 – (CVE-2015-5261) CVE-2015-5261 spice: host memory access from guest using crafted images

Bug 1261889 (CVE-2015-5261) - CVE-2015-5261 spice: host memory access from guest using crafted images

Summary: CVE-2015-5261 spice: host memory access from guest using crafted images

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2015-5261
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1259773 1262769 1262770 1262771 1267134
Blocks:	1260823
TreeView+	depends on / blocked

Reported:	2015-09-10 11:58 UTC by Martin Prpič
Modified:	2023-05-12 21:59 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	A heap-based buffer overflow flaw was found in the way SPICE handled certain guest QXL commands related to surface creation. A user in a guest could use this flaw to read and write arbitrary memory locations on the host.
Clone Of:
Environment:
Last Closed:	2015-10-15 17:34:31 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:1889	0	normal	SHIPPED_LIVE	Important: spice-server security update	2015-10-12 23:07:08 UTC
Red Hat Product Errata	RHSA-2015:1890	0	normal	SHIPPED_LIVE	Important: spice security update	2015-10-13 00:20:55 UTC

Description Martin Prpič 2015-09-10 11:58:24 UTC

The following flaw was reported in spice:

It is possible for a guest issuing QXL commands to host to allow reading and writing host memory in a range of about 16-20gb.
The guest can create a surface very large (say 1000000 x 1000000). If width * height overflow the 32 bit and became a small number the host will accept the command and will create the surface. Now guest can copy areas of surfaces to access any area of memory covered by the image. Considering overflows, pixman implementation and image formats (32 bit, top-down or down-top) the range (the guest pass an offset into video memory for the start) the range if about +/- 8gb.

Comment 6 Martin Prpič 2015-10-06 08:27:00 UTC

Acknowledgements:

This issue was discovered by Frediano Ziglio of Red Hat.

Comment 10 errata-xmlrpc 2015-10-12 19:08:58 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1889 https://rhn.redhat.com/errata/RHSA-2015-1889.html

Comment 11 errata-xmlrpc 2015-10-12 20:21:14 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:1890 https://rhn.redhat.com/errata/RHSA-2015-1890.html

Note You need to log in before you can comment on or make changes to this bug.