Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 583496 (CVE-2016-4439, CVE-2016-4441) - <app-emulation/qemu-2.7.0: two OOB write with ESP/NCR53C9x device (CVE-2016-{4439,4441})
Summary: <app-emulation/qemu-2.7.0: two OOB write with ESP/NCR53C9x device (CVE-2016-{...
Status: RESOLVED FIXED
Alias: CVE-2016-4439, CVE-2016-4441
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa cve]
Keywords:
Depends on: CVE-2016-7116
Blocks:
  Show dependency tree
 
Reported: 2016-05-19 13:50 UTC by Agostino Sarubbo
Modified: 2016-09-26 00:36 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-05-19 13:50:28 UTC
From https://bugzilla.redhat.com/show_bug.cgi?id=1337505:

Quick Emulator(Qemu) built with the ESP/NCR53C9x controller emulation support
is vulnerable to an OOB write access issue. The controller uses 16-byte FIFO
buffer for command and data transfer. The OOB write occurs while writing to
this command buffer in routine get_cmd().

A privileged user inside guest could use this flaw to crash the Qemu process
resulting in DoS.

Upstream patch:
---------------
  -> https://lists.gnu.org/archive/html/qemu-devel/2016-05/msg03274.html

Reference:
----------
  -> http://www.openwall.com/lists/oss-security/2016/05/19/4



From https://bugzilla.redhat.com/show_bug.cgi?id=1337502:

Quick Emulator(Qemu) built with the ESP/NCR53C9x controller emulation support
is vulnerable to an OOB write access issue. The controller uses 16-byte FIFO
buffer for command and data transfer. The OOB write occurs while writing to
this command buffer in esp_reg_write().

A privileged user inside guest could use this flaw to crash the Qemu process
resulting in DoS OR potentially leverage it to execute arbitrary code with
privileges of the Qemu process on the host.

Upstream patch:
---------------
  -> https://lists.gnu.org/archive/html/qemu-devel/2016-05/msg03273.html

Reference:
----------
  -> http://www.openwall.com/lists/oss-security/2016/05/19/3


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2016-06-30 23:41:33 UTC
CVE-2016-4441 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4441):
  The get_cmd function in hw/scsi/esp.c in the 53C9X Fast SCSI Controller
  (FSC) support in QEMU does not properly check DMA length, which allows local
  guest OS administrators to cause a denial of service (out-of-bounds write
  and QEMU process crash) via unspecified vectors, involving an SCSI command.

CVE-2016-4439 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4439):
  The esp_reg_write function in hw/scsi/esp.c in the 53C9X Fast SCSI
  Controller (FSC) support in QEMU does not properly check command buffer
  length, which allows local guest OS administrators to cause a denial of
  service (out-of-bounds write and QEMU process crash) or potentially execute
  arbitrary code on the QEMU host via unspecified vectors.
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2016-06-30 23:45:31 UTC
(In reply to GLSAMaker/CVETool Bot from comment #1)
> CVE-2016-4441 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4441):
>   The get_cmd function in hw/scsi/esp.c in the 53C9X Fast SCSI Controller
>   (FSC) support in QEMU does not properly check DMA length, which allows
> local
>   guest OS administrators to cause a denial of service (out-of-bounds write
>   and QEMU process crash) via unspecified vectors, involving an SCSI command.
> 

Upstream patch:

http://git.qemu.org/?p=qemu.git;a=commit;h=6c1fef6b59563cc415f21e03f81539ed4b33ad90

> CVE-2016-4439 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4439):
>   The esp_reg_write function in hw/scsi/esp.c in the 53C9X Fast SCSI
>   Controller (FSC) support in QEMU does not properly check command buffer
>   length, which allows local guest OS administrators to cause a denial of
>   service (out-of-bounds write and QEMU process crash) or potentially execute
>   arbitrary code on the QEMU host via unspecified vectors.

Upstream patch:

http://git.qemu.org/?p=qemu.git;a=commit;h=c98c6c105f66f05aa0b7c1d2a4a3f716450907ef
Comment 3 Matthias Maier gentoo-dev 2016-09-05 05:36:31 UTC
Fixed in at least version 2.7.0. Stabilization of 2.7.0 in #592430

commit 671df1de7a8611d59307ffcd448af451c15003ed
Author: Matthias Maier <tamiko@gentoo.org>
Date:   Sun Sep 4 23:25:32 2016 -0500

    app-emulation/qemu: version bump to 2.7.0, various security fixes
    
    3af9187fc6caaf415ab9c0c6d92c9678f65cb17f -> CVE-2016-4001, bug #579734
    3a15cc0e1ee7168db0782133d2607a6bfa422d66 -> CVE-2016-4002, bug #579734
    c98c6c105f66f05aa0b7c1d2a4a3f716450907ef -> CVE-2016-4439, bug #583496
    6c1fef6b59563cc415f21e03f81539ed4b33ad90 -> CVE-2016-4441, bug #583496
    06630554ccbdd25780aa03c3548aaff1eb56dffd ->              , bug #583952
    844864fbae66935951529408831c2f22367a57b6 -> CVE-2016-5337, bug #584094
    b60bdd1f1ee1616b7a9aeeffb4088e1ce2710fb2 ->              , bug #584102
    1b85898025c4cd95dce673d15e67e60e98e91731 ->              , bug #584146
    521360267876d3b6518b328051a2e56bca55bef8 -> CVE-2016-4453, bug #584514
    4e68a0ee17dad7b8d870df0081d4ab2e079016c2 -> CVE-2016-4454, bug #584514
    a6b3167fa0e825aebb5a7cd8b437b6d41584a196 -> CVE-2016-5126, bug #584630
    ff589551c8e8e9e95e211b9d8daafb4ed39f1aec -> CVE-2016-5338, bug #584918
    d3cdc49138c30be1d3c2f83d18f85d9fdee95f1a -> CVE-2016-5238, bug #584918
    1e7aed70144b4673fc26e73062064b6724795e5f ->              , bug #589924
    afd9096eb1882f23929f5b5c177898ed231bac66 -> CVE-2016-5403, bug #589928
    eb700029c7836798046191d62d595363d92c84d4 -> CVE-2016-6835, bug #591244
    ead315e43ea0c2ca3491209c6c8db8ce3f2bbe05 -> CVE-2016-6834, bug #591374
    6c352ca9b4ee3e1e286ea9e8434bd8e69ac7d0d8 -> CVE-2016-6833, bug #591380
    47882fa4975bf0b58dd74474329fdd7154e8f04c -> CVE-2016-6888, bug #591678
    
    805b5d98c649d26fc44d2d7755a97f18e62b438a
    56f101ecce0eafd09e2daf1c4eeb1377d6959261
    fff39a7ad09da07ef490de05c92c91f22f8002f2 ->              , bug #592430
    
    Package-Manager: portage-2.2.28
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2016-09-25 22:47:23 UTC
Added to an existing GLSA Request.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2016-09-26 00:36:47 UTC
This issue was resolved and addressed in
 GLSA 201609-01 at https://security.gentoo.org/glsa/201609-01
by GLSA coordinator Yury German (BlueKnight).