Bug 1712834 (CVE-2019-12247) - CVE-2019-12247 QEMU: qemu-guest-agent: integer overflow while running guest-exec command
Summary: CVE-2019-12247 QEMU: qemu-guest-agent: integer overflow while running guest-e...
Alias: CVE-2019-12247
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1712835 1712836 1712837 1712844 1712846 1712847
Blocks: 1608556
TreeView+ depends on / blocked
Reported: 2019-05-22 10:54 UTC by Prasad Pandit
Modified: 2021-02-16 21:54 UTC (History)
33 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-05-31 07:16:38 UTC

Attachments (Terms of Use)

Description Prasad Pandit 2019-05-22 10:54:55 UTC
An integer overflow issue was found in the QEMU Guest Agent in QEMU,
while reading argument list passed to the 'guest-exec' qmp command.
An attacker could exploit this by sending a crafted QMP command to
the agent via a listening socket to trigger the overflow. It may
crash the QEMU guest agent, resulting in DoS.

Upstream patch:
  -> https://lists.gnu.org/archive/html/qemu-devel/2019-05/msg04596.html

  -> https://www.openwall.com/lists/oss-security/2019/05/22/4

Comment 1 Prasad Pandit 2019-05-22 10:55:01 UTC

Name: Guoxiang Niu (huawei.com)

Comment 2 Prasad Pandit 2019-05-22 10:57:36 UTC
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1712836]

Comment 8 Prasad Pandit 2019-05-31 07:16:38 UTC
This one turned out to be a non-issue. Number of command-line arguments
are capped by

  -> https://lists.gnu.org/archive/html/qemu-devel/2019-05/msg05457.html

QMP JSON parser to MAX_TOKEN_COUNT (2ULL << 20). It helps to avoid the said
integer overflow issue.

Closing this as notabug.

Comment 9 Doran Moppert 2020-02-11 00:32:05 UTC

Red Hat Product Security determined that this flaw was not a security vulnerability. See the Bugzilla link for more details.

Note You need to log in before you can comment on or make changes to this bug.