Bug 1329538 – CVE-2016-7909 Qemu: net: pcnet: infinite loop in pcnet_rdra_addr()

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1329538 - (CVE-2016-7909) CVE-2016-7909 Qemu: net: pcnet: infinite loop in pcnet_rdra_addr()

Summary:	CVE-2016-7909 Qemu: net: pcnet: infinite loop in pcnet_rdra_addr()

Status:	CLOSED UPSTREAM

Aliases:	CVE-2016-7909

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	low Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=low,public=20160930,reported=2...
Keywords:	Security

Duplicates:	1329596 (view as bug list)
Depends On:	1381196
Blocks:	1326713
	Show dependency tree / graph

Reported:	2016-04-22 04:01 EDT by Adam Mariš
Modified:	2017-07-31 01:32 EDT (History)
CC List:	45 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2017-02-07 02:32:33 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
GDB report (1.31 KB, text/plain) 2016-04-22 04:15 EDT, Adam Mariš	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Adam Mariš 2016-04-22 04:01:01 EDT

Quick Emulator(Qemu) built with the AMD PC-Net II emulator support is vulnerable to an infinite loop issue. It could occur while receiving packets via pcnet_receive().

A privileged user/process inside guest could use this issue to crash the Qemu process on the host leading to DoS.

Upstream patch
--------------
  -> https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg07942.html

Comment 1 Adam Mariš 2016-04-22 04:01:23 EDT

Acknowledgments:

Name: Li Qiang (Qihoo 360 Inc.)

Comment 2 Adam Mariš 2016-04-22 04:15 EDT

Created attachment 1149665 [details]
GDB report

Comment 4 Prasad J Pandit 2016-10-03 07:48:07 EDT

Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1381196]

Comment 5 Andrej Nemec 2016-10-04 04:08:06 EDT

CVE assignment:

http://seclists.org/oss-sec/2016/q4/12

Comment 6 Cole Robinson 2017-01-16 13:15:45 EST

commit 34e29ce754c02bb6b3bdd244fbb85033460feaff
Author: Prasad J Pandit <pjp@fedoraproject.org>
Date:   Fri Sep 30 00:27:33 2016 +0530

    net: pcnet: check rx/tx descriptor ring length

Comment 7 Prasad J Pandit 2017-02-07 02:30:52 EST

*** Bug 1329596 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.

abaron
ailan
alonbl
aortega
apevec
areis
ayoung
bmcclain
chrisw
crobinso
cvsbot-xmlrpc
dallan
dblechte
drjones
eedri
gklein
gkotton
imammedo
jen
jjoyce
jschluet
kbasil
knoel
lhh
lpeer
markmc
mgoldboi
michal.skrivanek
mkenneth
mrezanin
mst
pbonzini
ppandit
rbalakri
rbryant
rkrcmar
sclewis
security-response-team
sherold
srevivo
tdecacqu
virt-maint
vkuznets
ykaul
ylavi