| Summary: | <app-emulation/qemu-2.3.0-r4: i8254: out-of-bounds memory access in pit_ioport_read function (CVE-2015-3214) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | qemu+disabled |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1229640 | ||
| See Also: | https://bugzilla.redhat.com/show_bug.cgi?id=1229640 | ||
| Whiteboard: | B2 [glsa cve] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | |||
| Bug Blocks: | 555680, 556050 | ||
addressed in qemu-2.3.0-r4. amd64 stable x86 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. Arches and Maintainer(s), Thank you for your work. Added to an existing GLSA Request. This issue was resolved and addressed in GLSA 201510-02 at https://security.gentoo.org/glsa/201510-02 by GLSA coordinator Kristian Fiskerstrand (K_F). |
From ${URL} : Due converting PIO to the new memory read/write api we no longer provide separate I/O region lenghts for read and write operations. As a result, reading from PIT Mode/Command register will end with accessing pit->channels with invalid index and potentially cause memory corruption and/or minor information leak. A privileged guest user in a guest with QEMU PIT emulation enabled could potentially (tough unlikely) use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process. (QEMU part of the vulnerability) A privileged guest user in a guest could potentially (tough unlikely) use this flaw to execute arbitrary code on the host. (KVM part of the vulnerability) Upstream commits: KVM: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ee73f656a604d5aa9df86a97102e4e462dd79924 QEMU: http://git.qemu.org/?p=qemu.git;a=commit;h=d4862a87e31a51de9eb260f25c9e99a75efe3235 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.