Bug 1516922 (CVE-2017-15118) - CVE-2017-15118 Qemu: stack buffer overflow in NBD server triggered via long export name
Summary: CVE-2017-15118 Qemu: stack buffer overflow in NBD server triggered via long e...
Keywords:
Status: NEW
Alias: CVE-2017-15118
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1518236 1516545 1517756 1518235 1518548 1525813
Blocks: 1516923
TreeView+ depends on / blocked
 
Reported: 2017-11-23 15:03 UTC by Adam Mariš
Modified: 2019-09-30 21:42 UTC (History)
49 users (show)

Fixed In Version: qemu 2.11
Doc Type: Bug Fix
Doc Text:
A stack-based buffer overflow vulnerability was found in NBD server implementation in qemu allowing a client to request an export name of size up to 4096 bytes, which in fact should be limited to 256 bytes, allowing causing an out-of-bounds stack write in the qemu process. If NBD server requires TLS, the attacker cannot trigger the buffer overflow without first successfully negotiating TLS.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)
Proposed patch (1.06 KB, patch)
2017-11-23 15:27 UTC, Adam Mariš
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:1104 None None None 2018-04-10 18:58:31 UTC

Description Adam Mariš 2017-11-23 15:03:14 UTC
A stack-based buffer overflow vulnerability was found in NBD server implementation in qemu allowing client to request an export name of size up to 4096 bytes, which in fact should be limited to 256 bytes, allowing to cause out-of-bounds stack write in qemu process.

If NBD server requires TLS, the attacker cannot trigger the buffer overflow without first successfully negotiating TLS.

Upstream patch:
---------------
  -> https://lists.gnu.org/archive/html/qemu-devel/2017-11/msg05045.html

Reference:
----------
  -> http://www.openwall.com/lists/oss-security/2017/11/28/8

Comment 1 Adam Mariš 2017-11-23 15:03:17 UTC
Acknowledgments:

Name: Eric Blake (Red Hat)

Comment 2 Adam Mariš 2017-11-23 15:27:45 UTC
Created attachment 1358264 [details]
Proposed patch

Comment 3 Adam Mariš 2017-11-23 15:29:13 UTC
Issue was introduced by commit:

https://git.qemu.org/?p=qemu.git;a=commit;h=f37708f6b8 (qemu 2.10)

Comment 6 Prasad J Pandit 2017-11-28 13:23:24 UTC
Created qemu tracking bugs for this issue:

Affects: epel-7 [bug 1518236]
Affects: fedora-all [bug 1518235]

Comment 9 errata-xmlrpc 2018-04-10 18:58:08 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for RHEL-7

Via RHSA-2018:1104 https://access.redhat.com/errata/RHSA-2018:1104


Note You need to log in before you can comment on or make changes to this bug.