Bug 1422415 (CVE-2017-2630) - CVE-2017-2630 Qemu: nbd: oob stack write in client routine drop_sync
Summary: CVE-2017-2630 Qemu: nbd: oob stack write in client routine drop_sync
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2017-2630
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1425302
Blocks: 1420238
TreeView+ depends on / blocked
 
Reported: 2017-02-15 09:47 UTC by Prasad Pandit
Modified: 2021-02-17 02:35 UTC (History)
38 users (show)

Fixed In Version: qemu 2.9
Doc Type: Bug Fix
Doc Text:
A stack buffer overflow flaw was found in the Quick Emulator (QEMU) built with the Network Block Device (NBD) client support. The flaw could occur while processing server's response to a 'NBD_OPT_LIST' request. A malicious NBD server could use this issue to crash a remote NBD client resulting in DoS or potentially execute arbitrary code on client host with privileges of the QEMU process.
Clone Of:
Environment:
Last Closed: 2019-06-08 03:07:39 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:2392 0 normal SHIPPED_LIVE Important: qemu-kvm-rhev security, bug fix, and enhancement update 2017-08-01 20:04:36 UTC

Description Prasad Pandit 2017-02-15 09:47:11 UTC
Quick Emulator(Qemu) built with the Network Block Device(NBD) client support is
vulnerable to a stack buffer overflow issue. It could occur while processing
server's response to a 'NBD_OPT_LIST' request.

A malicious NBD server could use this issue to crash remote NBD client
resulting in DoS or potentially execute arbitrary code on client host with
privileges of the Qemu process.

Upstream patch:
---------------
  -> https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg01246.html

Reference:
----------
  -> http://www.openwall.com/lists/oss-security/2017/02/15/2

Comment 5 Eric Blake 2017-03-07 16:51:32 UTC
Latest upstream patch - hoping it will be merged for the release candidates
https://lists.gnu.org/archive/html/qemu-devel/2017-03/msg01455.html

Comment 6 Eric Blake 2017-03-15 20:50:30 UTC
Will be in qemu 2.9:

commit 2563c9c6b8670400c48e562034b321a7cf3d9a85
Author: Vladimir Sementsov-Ogievskiy <vsementsov>
Date:   Tue Mar 7 09:16:27 2017 -0600

    nbd/client: fix drop_sync [CVE-2017-2630]
    
    Comparison symbol is misused. It may lead to memory corruption.
    Introduced in commit 7d3123e.
    
    Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov>
    Message-Id: <20170203154757.36140-6-vsementsov>
    [eblake: add CVE details, update conditional]
    Signed-off-by: Eric Blake <eblake>
    Reviewed-by: Marc-André Lureau <marcandre.lureau>
    Message-Id: <20170307151627.27212-1-eblake>
    Signed-off-by: Paolo Bonzini <pbonzini>

Comment 9 errata-xmlrpc 2017-08-02 04:49:28 UTC
This issue has been addressed in the following products:

  RHEV 4.X RHEV-H and Agents for RHEL-7

Via RHSA-2017:2392 https://access.redhat.com/errata/RHSA-2017:2392


Note You need to log in before you can comment on or make changes to this bug.