Bug 1609015 (CVE-2018-18438) - CVE-2018-18438 Qemu: Integer overflow in ccid_card_vscard_read() allows memory corruption
Summary: CVE-2018-18438 Qemu: Integer overflow in ccid_card_vscard_read() allows memor...
Alias: CVE-2018-18438
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1640005 1640006 1640007 1640008 1640009 1640010 1640011 1640012 1640013 1640019 1640020
Blocks: 1613564
TreeView+ depends on / blocked
Reported: 2018-07-26 18:06 UTC by Laura Pardo
Modified: 2021-02-16 23:52 UTC (History)
38 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-05-03 16:26:09 UTC

Attachments (Terms of Use)

Description Laura Pardo 2018-07-26 18:06:38 UTC
An integer overflow issue was found in the CCID Passthru card device emulation, while reading card data in ccid_card_vscard_read() function. The ccid_card_vscard_read() function accepts a signed integer 'size' argument, which is subsequently used as unsigned size_t value in memcpy(), copying large amounts of memory.

A user inside guest could use this flaw to crash the Qemu process resulting in DoS.

Upstream patch:
  -> https://lists.gnu.org/archive/html/qemu-devel/2018-10/msg02396.html

  -> https://www.openwall.com/lists/oss-security/2018/10/17/3

Comment 1 Laura Pardo 2018-07-26 18:06:53 UTC

Name: Arash Tohidi

Comment 2 Arash Tohidi 2018-07-26 18:42:41 UTC
The overflowed argument in ccid_card_vscard_read() is "int size". Another memory corruption may happen if a specially crafted buffer is fed to buf which will be passed to  ccid_card_vscard_handle_message() and eventually will result in another memory overwrite by calling memcpy().

Comment 4 Prasad Pandit 2018-10-17 06:45:41 UTC
External References:


Comment 6 Prasad Pandit 2018-10-17 07:19:55 UTC
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1640019]

Comment 11 Philippe Mathieu-Daudé 2019-05-03 16:26:09 UTC
The maintainer audited the code and can not find that memory corruption happens (see bug 1640020#c9).

Since there is no known reproducer (see bug 1640020#c7), all those issues have been closed as NOTABUG.

Comment 12 Doran Moppert 2020-06-17 06:14:10 UTC

The maintainer audited the code and determined that no memory corruption is possible using this flaw. Patches were applied upstream to prevent future changes introducing such flaws, but the issues identified by this CVE were determined to not constitute a vulnerability.

Note You need to log in before you can comment on or make changes to this bug.