An integer overflow resulting in memory corruption issue was found in various Bluetooth functions. It could occur in routines wherein 'len' parameter is a 'signed int' which subsequently converts to an unsigned integer resulting in memcpy() copying large amounts of memory. A user inside guest could use this flaw to crash the Qemu process resulting in DoS. Upstream patch: --------------- -> https://lists.gnu.org/archive/html/qemu-devel/2018-11/msg03570.html Reference: ---------- -> https://www.openwall.com/lists/oss-security/2018/11/29/1
Acknowledgments: Name: Arash Tohidi
Created qemu tracking bugs for this issue: Affects: fedora-all [bug 1640543]
*** Bug 1607666 has been marked as a duplicate of this bug. ***
*** Bug 1608611 has been marked as a duplicate of this bug. ***
*** Bug 1608610 has been marked as a duplicate of this bug. ***