A flaw was found in the way QEMU's AMD PCnet Ethernet emulation handled multi-TMD packet with length above 4096 bytes. 4096 is the maximum length per TMD and it is also currently the size of the relay buffer pcnet driver uses for sending the packet data to QEMU for further processing. With packet spanning multiple TMDs it can happen that the overall packet size will be bigger than sizeof(buffer), which results in memory corruption. A privileged guest user in a guest with AMD PCNet ethernet card enabled could potentially use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process. Upstream fix: ------------- -> git.qemu.org/?p=qemu.git;a=commit;h=9f7c594c006289ad41169b854d70f5da6e400a2a Acknowledgements: Red Hat would like to thank Matt Tait of Google's Project Zero security team for reporting this issue.
Created attachment 1031225 [details] Upstream patch 7b50d00911ddd6d56a766ac5671e47304c20a21b commit is a prerequisite.
Statement: This issue does not affect the versions of the qemu-kvm packages as shipped with Red Hat Enterprise Linux 7 as they do not enable the pcnet backend driver. This issue does not affect the Red Hat Enterprise Linux 7 based versions of the qemu-kvm-rhev packages as shipped with Red Hat Enterprise Virtualization 3. This issue affects the versions of the kvm and xen packages as shipped with Red Hat Enterprise Linux 5, the versions of the qemu-kvm packages as shipped with Red Hat Enterprise Linux 6, and the Red Hat Enterprise Linux 6 based versions of qemu-kvm-rhev packages as shipped with Red Hat Enterprise Virtualization 3. Future updates for the respective releases may address this flaw. Please note that AMD PCNet adapter has to be explicitly enabled per-guest as it is not enabled in default configuration and is not supported by Red Hat in Red Hat Enterprise Linux 6 (for a list of supported devices please consult https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Virtualization_Administration_Guide/sect-whitelist-device-options.html).
Upstream patch submission: https://www.mail-archive.com/qemu-devel@nongnu.org/msg302403.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2015:1087 https://rhn.redhat.com/errata/RHSA-2015-1087.html
This issue has been addressed in the following products: RHEV-H and Agents for RHEL-6 Via RHSA-2015:1088 https://rhn.redhat.com/errata/RHSA-2015-1088.html
This issue has been addressed in the following products: OpenStack 5 for RHEL 6 Via RHSA-2015:1089 https://rhn.redhat.com/errata/RHSA-2015-1089.html
Created xen tracking bugs for this issue: Affects: fedora-all [bug 1230537]
Created qemu tracking bugs for this issue: Affects: fedora-all [bug 1230536] Affects: epel-7 [bug 1230538]
xen-4.5.0-11.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
xen-4.4.2-6.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
xen-4.3.4-6.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: Red Hat Enterprise Linux 5 Via RHSA-2015:1189 https://rhn.redhat.com/errata/RHSA-2015-1189.html
qemu-2.3.1-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
qemu-2.4.0-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
qemu-2.1.3-9.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.