Bug 1821180 (CVE-2020-11102) - CVE-2020-11102 QEMU: tulip: OOB access in tulip_copy_tx_buffers
Summary: CVE-2020-11102 QEMU: tulip: OOB access in tulip_copy_tx_buffers
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2020-11102
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1821564
Blocks: 1787539
TreeView+ depends on / blocked
 
Reported: 2020-04-06 08:59 UTC by Prasad Pandit
Modified: 2021-02-16 20:19 UTC (History)
26 users (show)

Fixed In Version: qemu-5.0.0
Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds access flaw was found in the Tulip NIC emulator built into QEMU. This flaw occurs while copying network data to and from its tx/rx frame buffers, as it does not check frame size against the data length. This flaw allows a remote user or process to crash the QEMU process, resulting in a denial of service or the potential execution of arbitrary code with the privileges of the QEMU process on the host.
Clone Of:
Environment:
Last Closed: 2020-04-06 10:32:23 UTC
Embargoed:

Attachments (Terms of Use)

Description Prasad Pandit 2020-04-06 08:59:57 UTC 
An out-of-bounds access issue was found in the Tulip NIC emulator built into QEMU.
It could occur while copying network data to/from its tx/rx frame buffers, as it
does not check frame size against the data length.

A remote user/process could use this flaw to crash the QEMU process resulting in Dos
OR potentially execute arbitrary code with the privileges of the QEMU process on the host.

Upstream patch:
---------------
  -> https://git.qemu.org/?p=qemu.git;a=commit;h=8ffb7265af64ec81748335ec8f20e7ab542c3850

Reference:
----------
  -> https://www.openwall.com/lists/oss-security/2020/04/06/1
Comment 1 Prasad Pandit 2020-04-06 10:08:12 UTC 
Acknowledgments:

Name: Ziming Zhang, Li Qiang (Tianchen Security Lab of Ant Financial)
Comment 2 Prasad Pandit 2020-04-06 10:08:19 UTC 
Statement:

This issue does not affect the versions of the qemu-kvm package as shipped with Red Hat Enterprise Linux 6, 7 and 8.
Comment 3 Product Security DevOps Team 2020-04-06 10:32:23 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-11102
Comment 5 Prasad Pandit 2020-04-07 05:26:21 UTC 
Created qemu tracking bugs for this issue:

Affects: fedora-rawhide [bug 1821564]
Note You need to log in before you can comment on or make changes to this bug.