An integer overflow issue was found in the CCID Passthru card device emulation, while reading card data in ccid_card_vscard_read() function. The ccid_card_vscard_read() function accepts a signed integer 'size' argument, which is subsequently used as unsigned size_t value in memcpy(), copying large amounts of memory. A user inside guest could use this flaw to crash the Qemu process resulting in DoS. Upstream patch: --------------- -> https://lists.gnu.org/archive/html/qemu-devel/2018-10/msg02396.html Reference: ---------- -> https://www.openwall.com/lists/oss-security/2018/10/17/3
Acknowledgments: Name: Arash Tohidi
The overflowed argument in ccid_card_vscard_read() is "int size". Another memory corruption may happen if a specially crafted buffer is fed to buf which will be passed to ccid_card_vscard_handle_message() and eventually will result in another memory overwrite by calling memcpy().
External References: https://lists.gnu.org/archive/html/qemu-devel/2018-10/msg02396.html
Created qemu tracking bugs for this issue: Affects: fedora-all [bug 1640019]
The maintainer audited the code and can not find that memory corruption happens (see bug 1640020#c9). Since there is no known reproducer (see bug 1640020#c7), all those issues have been closed as NOTABUG.
Statement: The maintainer audited the code and determined that no memory corruption is possible using this flaw. Patches were applied upstream to prevent future changes introducing such flaws, but the issues identified by this CVE were determined to not constitute a vulnerability.