Bug 1225882 (CVE-2015-3209, xsa135) - CVE-2015-3209 qemu: pcnet: multi-tmd buffer overflow in the tx path
Summary: CVE-2015-3209 qemu: pcnet: multi-tmd buffer overflow in the tx path
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-3209, xsa135
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20150610,repo...
Depends On: 1225886 1225887 1225889 1225890 1225892 1225893 1225896 1225898 1227601 1227602 1230536 1230537 1230538
Blocks: 1225908
TreeView+ depends on / blocked
 
Reported: 2015-05-28 11:46 UTC by Petr Matousek
Modified: 2019-06-08 20:36 UTC (History)
47 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A flaw was found in the way QEMU's AMD PCnet Ethernet emulation handled multi-TMD packets with a length above 4096 bytes. A privileged guest user in a guest with an AMD PCNet ethernet card enabled could potentially use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process.
Clone Of:
Environment:
Last Closed: 2015-08-26 17:42:25 UTC


Attachments (Terms of Use)
Upstream patch (1.54 KB, application/mbox)
2015-05-28 11:50 UTC, Petr Matousek
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1087 normal SHIPPED_LIVE Important: qemu-kvm security update 2015-06-10 18:46:59 UTC
Red Hat Product Errata RHSA-2015:1088 normal SHIPPED_LIVE Important: qemu-kvm-rhev security update 2015-06-10 19:00:16 UTC
Red Hat Product Errata RHSA-2015:1089 normal SHIPPED_LIVE Important: qemu-kvm-rhev security update 2015-06-10 20:23:09 UTC
Red Hat Product Errata RHSA-2015:1189 normal SHIPPED_LIVE Important: kvm security update 2015-06-25 17:27:18 UTC

Description Petr Matousek 2015-05-28 11:46:16 UTC
A flaw was found in the way QEMU's AMD PCnet Ethernet emulation handled multi-TMD packet with length above 4096 bytes. 4096 is the maximum length per TMD and it is also currently the size of the relay buffer pcnet driver uses for sending the packet data to QEMU for further processing. With packet spanning multiple TMDs it can happen that the overall packet size will be bigger than sizeof(buffer), which results in memory corruption.

A privileged guest user in a guest with AMD PCNet ethernet card enabled could potentially use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process.

Upstream fix:
-------------
  -> git.qemu.org/?p=qemu.git;a=commit;h=9f7c594c006289ad41169b854d70f5da6e400a2a


Acknowledgements:

Red Hat would like to thank Matt Tait of Google's Project Zero security team for reporting this issue.

Comment 2 Petr Matousek 2015-05-28 11:50:31 UTC
Created attachment 1031225 [details]
Upstream patch

7b50d00911ddd6d56a766ac5671e47304c20a21b commit is a prerequisite.

Comment 8 Petr Matousek 2015-05-28 12:03:41 UTC
Statement: 

This issue does not affect the versions of the qemu-kvm packages as shipped with Red Hat Enterprise Linux 7 as they do not enable the pcnet backend driver.

This issue does not affect the Red Hat Enterprise Linux 7 based versions of the qemu-kvm-rhev packages as shipped with Red Hat Enterprise Virtualization 3.

This issue affects the versions of the kvm and xen packages as shipped with Red Hat Enterprise Linux 5, the versions of the qemu-kvm packages as shipped with Red Hat Enterprise Linux 6, and the Red Hat Enterprise Linux 6 based versions of qemu-kvm-rhev packages as shipped with Red Hat Enterprise Virtualization 3. Future updates for the respective releases may address this flaw.

Please note that AMD PCNet adapter has to be explicitly enabled per-guest as it is not enabled in default configuration and is not supported by Red Hat in Red Hat Enterprise Linux 6 (for a list of supported devices please consult https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Virtualization_Administration_Guide/sect-whitelist-device-options.html).

Comment 13 Petr Matousek 2015-06-10 14:16:41 UTC
Upstream patch submission:

https://www.mail-archive.com/qemu-devel@nongnu.org/msg302403.html

Comment 14 errata-xmlrpc 2015-06-10 14:48:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1087 https://rhn.redhat.com/errata/RHSA-2015-1087.html

Comment 15 errata-xmlrpc 2015-06-10 15:00:27 UTC
This issue has been addressed in the following products:

  RHEV-H and Agents for RHEL-6

Via RHSA-2015:1088 https://rhn.redhat.com/errata/RHSA-2015-1088.html

Comment 16 errata-xmlrpc 2015-06-10 16:23:18 UTC
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 6

Via RHSA-2015:1089 https://rhn.redhat.com/errata/RHSA-2015-1089.html

Comment 17 Petr Matousek 2015-06-11 06:58:35 UTC
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1230537]

Comment 18 Petr Matousek 2015-06-11 06:58:41 UTC
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1230536]
Affects: epel-7 [bug 1230538]

Comment 19 Fedora Update System 2015-06-24 16:00:57 UTC
xen-4.5.0-11.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 20 Fedora Update System 2015-06-24 16:02:24 UTC
xen-4.4.2-6.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 21 Fedora Update System 2015-06-24 16:04:05 UTC
xen-4.3.4-6.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 22 errata-xmlrpc 2015-06-25 13:28:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5

Via RHSA-2015:1189 https://rhn.redhat.com/errata/RHSA-2015-1189.html

Comment 23 Fedora Update System 2015-08-18 05:16:37 UTC
qemu-2.3.1-1.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 24 Fedora Update System 2015-08-23 16:40:37 UTC
qemu-2.4.0-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 25 Fedora Update System 2015-09-01 07:26:35 UTC
qemu-2.1.3-9.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.