Bug 1374702 (CVE-2016-7170) - CVE-2016-7170 Qemu: vmware_vga: OOB stack memory access when processing svga command
Summary: CVE-2016-7170 Qemu: vmware_vga: OOB stack memory access when processing svga ...
Keywords:
Status: CLOSED UPSTREAM
Alias: CVE-2016-7170
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 1329193 (view as bug list)
Depends On: 1374709 1398112 1398113 1398114 1398115 1398117 1398118 1398119 1398120 1398121 1398122 1398123 1398124
Blocks: 1329196 1348571 1370384
TreeView+ depends on / blocked
 
Reported: 2016-09-09 13:01 UTC by Prasad J Pandit
Modified: 2021-02-17 03:21 UTC (History)
40 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Quick Emulator (QEMU) built with the VMware-SVGA chipset emulation support is vulnerable to an OOB stack memory write issue. It could occur while processing VGA commands in 'vmsvga_fifo_run' routine. A privileged user inside guest could use this flaw to crash the QEMU process resulting in DoS.
Clone Of:
Environment:
Last Closed: 2016-12-09 09:00:57 UTC


Attachments (Terms of Use)

Description Prasad J Pandit 2016-09-09 13:01:55 UTC
Quick Emulator(Qemu) built with the VMware-SVGA "chipset" emulation support
is vulnerable to an OOB stack memory write issue. It could occur while
processing VGA commands in 'vmsvga_fifo_run' routine.

A privileged user inside guest could use this flaw to crash the Qemu process
resulting in DoS.

Upstream fix:
-------------
  -> git.qemu.org/?p=qemu.git;a=commit;h=167d97a3def77ee2dbf6e908b0ecbfe2103977db

Reference:
----------
  -> http://www.openwall.com/lists/oss-security/2016/09/09/7

Comment 1 Prasad J Pandit 2016-09-09 13:02:31 UTC
Acknowledgments:

Name: Qinghao Tang, Li Qiang (360.cn Inc.)

Comment 2 Prasad J Pandit 2016-09-09 13:04:16 UTC
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1374709]

Comment 12 Prasad J Pandit 2017-01-12 18:18:43 UTC
*** Bug 1329193 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.