Qemu emulator built with the Firmware Configuration device emulation support is vulnerable to an OOB r/w access issue. It could occur while processing firmware configurations, if the current configuration entry value was set to be invalid(FW_CFG_INVALID=0xffff). A privileged(CAP_SYS_RAWIO) user/process inside guest could use this flaw to crash the Qemu process instance resulting in DoS OR potentially execute arbitrary code with privileges of the Qemu process on the host. Upstream fix: ------------- -> https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg00428.html Reference: ---------- -> http://www.openwall.com/lists/oss-security/2016/01/12/10
Created xen tracking bugs for this issue: Affects: fedora-all [bug 1296080]
Acknowledgement: Red Hat would like to thank Donghai Zhu of Alibaba for reporting this issue.
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2016:0082 https://rhn.redhat.com/errata/RHSA-2016-0082.html
This issue has been addressed in the following products: RHEV-H and Agents for RHEL-6 Via RHSA-2016:0081 https://rhn.redhat.com/errata/RHSA-2016-0081.html
This issue has been addressed in the following products: OpenStack 7 For RHEL 7 Via RHSA-2016:0088 https://rhn.redhat.com/errata/RHSA-2016-0088.html
This issue has been addressed in the following products: OpenStack 6 for RHEL 7 Via RHSA-2016:0087 https://rhn.redhat.com/errata/RHSA-2016-0087.html
This issue has been addressed in the following products: OpenStack 5 for RHEL 7 Via RHSA-2016:0086 https://rhn.redhat.com/errata/RHSA-2016-0086.html
This issue has been addressed in the following products: OpenStack 5 for RHEL 6 Via RHSA-2016:0085 https://rhn.redhat.com/errata/RHSA-2016-0085.html
This issue has been addressed in the following products: RHEV 3.6 For IBM Power Systems RHEV-H and Agents for RHEL-7 Via RHSA-2016:0084 https://rhn.redhat.com/errata/RHSA-2016-0084.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:0083 https://rhn.redhat.com/errata/RHSA-2016-0083.html
xen-4.5.2-9.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
xen-4.5.2-9.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.