Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 589928 (CVE-2016-5403)

Summary: <app-emulation/qemu-2.7.0: virtio: unbounded memory allocation on host via guest leading to DoS (CVE-2016-5403)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: qemu+disabled
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2016/07/27/4
Whiteboard: B3 [glsa cve]
Package list:
Runtime testing required: ---
Bug Depends on: 592430    
Bug Blocks:    

Description Agostino Sarubbo gentoo-dev 2016-07-28 15:29:34 UTC
From ${URL} :

Quick emulator(Qemu) built with the virtio framework is vulnerable to an 
unbounded memory allocation issue. It was found that a malicious guest user 
could submit more requests than the virtqueue size permits, without waiting 
for their completion. This requires reusing vring descriptors in more than one 
request, which is incorrect but possible. Processing a request allocates a 
'VirtQueueElement' object and therefore causes unbounded memory allocation 
controlled by the guest.

A privileged guest user could use this flaw to potentially crash the guest 
resulting in DoS. Memory exhaustion would also affect other guests and 
services running on the host.

This issue was discovered by Zhenhao Hong of the 360 Marvel Team.

Reference:
----------
   -> https://bugzilla.redhat.com/show_bug.cgi?id=1358359



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Matthias Maier gentoo-dev 2016-09-05 05:49:04 UTC
Fixed in at least version 2.7.0. Stabilization of 2.7.0 in #592430

commit 671df1de7a8611d59307ffcd448af451c15003ed
Author: Matthias Maier <tamiko@gentoo.org>
Date:   Sun Sep 4 23:25:32 2016 -0500

    app-emulation/qemu: version bump to 2.7.0, various security fixes
    
    3af9187fc6caaf415ab9c0c6d92c9678f65cb17f -> CVE-2016-4001, bug #579734
    3a15cc0e1ee7168db0782133d2607a6bfa422d66 -> CVE-2016-4002, bug #579734
    c98c6c105f66f05aa0b7c1d2a4a3f716450907ef -> CVE-2016-4439, bug #583496
    6c1fef6b59563cc415f21e03f81539ed4b33ad90 -> CVE-2016-4441, bug #583496
    06630554ccbdd25780aa03c3548aaff1eb56dffd ->              , bug #583952
    844864fbae66935951529408831c2f22367a57b6 -> CVE-2016-5337, bug #584094
    b60bdd1f1ee1616b7a9aeeffb4088e1ce2710fb2 ->              , bug #584102
    1b85898025c4cd95dce673d15e67e60e98e91731 ->              , bug #584146
    521360267876d3b6518b328051a2e56bca55bef8 -> CVE-2016-4453, bug #584514
    4e68a0ee17dad7b8d870df0081d4ab2e079016c2 -> CVE-2016-4454, bug #584514
    a6b3167fa0e825aebb5a7cd8b437b6d41584a196 -> CVE-2016-5126, bug #584630
    ff589551c8e8e9e95e211b9d8daafb4ed39f1aec -> CVE-2016-5338, bug #584918
    d3cdc49138c30be1d3c2f83d18f85d9fdee95f1a -> CVE-2016-5238, bug #584918
    1e7aed70144b4673fc26e73062064b6724795e5f ->              , bug #589924
    afd9096eb1882f23929f5b5c177898ed231bac66 -> CVE-2016-5403, bug #589928
    eb700029c7836798046191d62d595363d92c84d4 -> CVE-2016-6835, bug #591244
    ead315e43ea0c2ca3491209c6c8db8ce3f2bbe05 -> CVE-2016-6834, bug #591374
    6c352ca9b4ee3e1e286ea9e8434bd8e69ac7d0d8 -> CVE-2016-6833, bug #591380
    47882fa4975bf0b58dd74474329fdd7154e8f04c -> CVE-2016-6888, bug #591678
    
    805b5d98c649d26fc44d2d7755a97f18e62b438a
    56f101ecce0eafd09e2daf1c4eeb1377d6959261
    fff39a7ad09da07ef490de05c92c91f22f8002f2 ->              , bug #592430
    
    Package-Manager: portage-2.2.28
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2016-09-10 04:19:30 UTC
Added to an existing GLSA Request.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2016-09-26 00:37:58 UTC
This issue was resolved and addressed in
 GLSA 201609-01 at https://security.gentoo.org/glsa/201609-01
by GLSA coordinator Yury German (BlueKnight).