Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 556052 (CVE-2015-3214)

Summary: <app-emulation/qemu-2.3.0-r4: i8254: out-of-bounds memory access in pit_ioport_read function (CVE-2015-3214)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: qemu+disabled
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also:
Whiteboard: B2 [glsa cve]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 555680, 556050    

Description Agostino Sarubbo gentoo-dev 2015-07-27 15:09:21 UTC
From ${URL} :

Due converting PIO to the new memory read/write api we no longer provide
separate I/O region lenghts for read and write operations. As a result,
reading from PIT Mode/Command register will end with accessing
pit->channels with invalid index and potentially cause memory corruption and/or
minor information leak.

A privileged guest user in a guest with QEMU PIT emulation enabled could
potentially (tough unlikely) use this flaw to execute arbitrary code on the
host with the privileges of the hosting QEMU process. (QEMU part of the vulnerability)

A privileged guest user in a guest could potentially (tough unlikely) use this flaw to execute 
arbitrary code on the host. (KVM part of the vulnerability)

Upstream commits:



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Doug Goldstein (RETIRED) gentoo-dev 2015-07-27 19:31:26 UTC
addressed in qemu-2.3.0-r4.
Comment 2 Agostino Sarubbo gentoo-dev 2015-07-28 15:04:38 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2015-07-28 15:05:03 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2015-08-09 02:48:20 UTC
Arches and Maintainer(s), Thank you for your work.

Added to an existing GLSA Request.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2015-10-31 15:07:14 UTC
This issue was resolved and addressed in
 GLSA 201510-02 at
by GLSA coordinator Kristian Fiskerstrand (K_F).