Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 519506 (CVE-2014-5263) - <app-emulation/qemu-2.1.0-r1: missing field list terminator in vmstate_xhci_event (CVE-2014-5263)
Summary: <app-emulation/qemu-2.1.0-r1: missing field list terminator in vmstate_xhci_e...
Status: RESOLVED FIXED
Alias: CVE-2014-5263
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-08-09 12:36 UTC by Agostino Sarubbo
Modified: 2014-12-08 22:48 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-08-09 12:36:37 UTC
From ${URL} :

It was found that vmstate_xhci_event field list was missing
VMSTATE_END_OF_LIST() terminator and traversing through this list
would result in out-of-bounds access during vm state saving and
loading.

Depending on how vmstate_xhci_event is placed in the qemu binary,
this issue can range from non-issue, infinite loop to (potentially)
privilege escalation in case the we end up with fields that have info
and/or field_exist members initialized in a way that is useful for
exploitation (most probably unlikely).

In the worst case, attacker able to alter the migration data could
use this flaw to to corrupt QEMU process memory.

Upstream commit:
http://git.qemu.org/?p=qemu.git;a=commit;h=3afca1d6d413592c2b78cf28f52fa24a586d8f56


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 SpanKY gentoo-dev 2014-08-18 12:56:56 UTC
guess this was included in the 2.1.0 release which i added a few weeks ago.  i'd give it the normal 30 day and then stabilize.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2014-09-03 19:54:38 UTC
CVE-2014-5263 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5263):
  vmstate_xhci_event in hw/usb/hcd-xhci.c in QEMU 1.6.0 does not terminate the
  list with the VMSTATE_END_OF_LIST macro, which allows attackers to cause a
  denial of service (out-of-bounds access, infinite loop, and memory
  corruption) and possibly gain privileges via unspecified vectors.
Comment 3 Yury German Gentoo Infrastructure gentoo-dev Security 2014-09-09 19:50:50 UTC
Stabilized in Bug # 520688
Comment 4 Yury German Gentoo Infrastructure gentoo-dev Security 2014-10-05 01:57:09 UTC
Arches and Mainter(s), Thank you for your work.

Added to an existing GLSA request.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2014-12-08 22:48:27 UTC
This issue was resolved and addressed in
 GLSA 201412-01 at http://security.gentoo.org/glsa/glsa-201412-01.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).