Bug 1853725 (CVE-2020-15863) - CVE-2020-15863 QEMU: stack-based overflow in xgmac_enet_send() in hw/net/xgmac.c
Summary: CVE-2020-15863 QEMU: stack-based overflow in xgmac_enet_send() in hw/net/xgmac.c
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2020-15863
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1859107 1859106 1859108 1910684
Blocks: 1846064
TreeView+ depends on / blocked
 
Reported: 2020-07-03 16:58 UTC by Mauro Matteo Cascella
Modified: 2022-04-17 20:58 UTC (History)
36 users (show)

Fixed In Version: QEMU 5.1.0-rc1
Doc Type: If docs needed, set a value
Doc Text:
A buffer overflow vulnerability was found in the XGMAC Ethernet controller of the QEMU emulator. This flaw occurs during packet transmission and affects the highbank and midway emulated machines. A guest user or process could use this flaw to crash the QEMU process on the host, resulting in a denial of service or potential code execution with the privileges of the QEMU process.
Clone Of:
Environment:
Last Closed: 2020-07-21 13:28:37 UTC


Attachments (Terms of Use)

Description Mauro Matteo Cascella 2020-07-03 16:58:50 UTC
A buffer overflow vulnerability was found in the XGMAC device of the QEMU emulator. XGMAC is an Ethernet controller used by the "highbank" and "midway" ARM emulated machines. The flaw lies in the xgmac_enet_send() function in hw/net/xgmac.c. Under certain circumstances, this may lead to a denial of service condition or potential code execution.

Upstream patch:
---------------
  -> https://git.qemu.org/?p=qemu.git;a=commit;h=5519724a13664b43e225ca05351c60b4468e4555

Comment 1 Mauro Matteo Cascella 2020-07-03 16:58:52 UTC
Acknowledgments:

Name: Ziming Zhang (Codesafe Team of Legendsec at Qi'anxin Group)

Comment 2 Mauro Matteo Cascella 2020-07-06 13:08:46 UTC
Statement:

The XGMAC device can only be found on highbank and midway QEMU ARM emulated machines. This flaw did not affect the following versions of QEMU as they did not include support for XGMAC:
* `qemu-kvm-ma` as shipped with Red Hat Enterprise Linux 7.
* `qemu-kvm-rhev` as shipped with Red Hat Virtualization and Red Hat OpenStack.
* `qemu-kvm` as shipped with Red Hat Enterprise Linux 6, 7 and 8.
* `virt:8.2/qemu-kvm` as shipped with RHEL Advanced Virtualization.

Comment 3 Mauro Matteo Cascella 2020-07-21 09:36:48 UTC
Created qemu tracking bugs for this issue:

Affects: epel-7 [bug 1859107]
Affects: fedora-all [bug 1859106]


Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1859108]


Note You need to log in before you can comment on or make changes to this bug.