Bug 1261889 (CVE-2015-5261) - CVE-2015-5261 spice: host memory access from guest using crafted images
Summary: CVE-2015-5261 spice: host memory access from guest using crafted images
Status: CLOSED ERRATA
Alias: CVE-2015-5261
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20151006,repo...
Keywords: Security
Depends On: 1259773 1262769 1262770 1262771 1267134
Blocks: 1260823
TreeView+ depends on / blocked
 
Reported: 2015-09-10 11:58 UTC by Martin Prpič
Modified: 2019-06-08 20:44 UTC (History)
5 users (show)

(edit)
A heap-based buffer overflow flaw was found in the way SPICE handled certain guest QXL commands related to surface creation. A user in a guest could use this flaw to read and write arbitrary memory locations on the host.
Clone Of:
(edit)
Last Closed: 2015-10-15 17:34:31 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1889 normal SHIPPED_LIVE Important: spice-server security update 2015-10-12 23:07:08 UTC
Red Hat Product Errata RHSA-2015:1890 normal SHIPPED_LIVE Important: spice security update 2015-10-13 00:20:55 UTC

Description Martin Prpič 2015-09-10 11:58:24 UTC
The following flaw was reported in spice:

It is possible for a guest issuing QXL commands to host to allow reading and writing host memory in a range of about 16-20gb.
The guest can create a surface very large (say 1000000 x 1000000). If width * height overflow the 32 bit and became a small number the host will accept the command and will create the surface. Now guest can copy areas of surfaces to access any area of memory covered by the image. Considering overflows, pixman implementation and image formats (32 bit, top-down or down-top) the range (the guest pass an offset into video memory for the start) the range if about +/- 8gb.

Comment 6 Martin Prpič 2015-10-06 08:27:00 UTC
Acknowledgements:

This issue was discovered by Frediano Ziglio of Red Hat.

Comment 10 errata-xmlrpc 2015-10-12 19:08:58 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1889 https://rhn.redhat.com/errata/RHSA-2015-1889.html

Comment 11 errata-xmlrpc 2015-10-12 20:21:14 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:1890 https://rhn.redhat.com/errata/RHSA-2015-1890.html


Note You need to log in before you can comment on or make changes to this bug.