[arch-security] Heap overflow in Qemu USB stack

Mark Lee mark at markelee.com
Tue May 13 13:32:16 EDT 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

To all,

A red hat security member has posted information about a heap overflow
in the qemu usb stack; please see below for forwarded message.

Regards,
Mark

>    Hello,
> 
> Correct post load checks:
> 1. dev->setup_len == sizeof(dev->data_buf)
>     seems fine, no need to fail migration
> 2. When state is DATA, passing index > len
>    will cause memcpy with negative length,
>    resulting in heap overflow
> 
> An user able to alter the saved VM data(either on the disk or over the wire during migration) could use this flaw to to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process.
> 
> Upstream fix:
> -------------
>   -> http://article.gmane.org/gmane.comp.emulators.qemu/272322
> 
> Thank you.
> -- 
> Prasad J Pandit / Red Hat Security Response Team 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iF4EAREIAAYFAlNyVyAACgkQZ/Z80n6+J/bILQD/byjN4pCdSVMg6PEIfy91ZE/X
4dxLldlhpTLE6uXzpBMA+QHsVCfpm/wr0ZUyjjfmNqXkJkpGjjpAJtoj0cxdm+bl
=Ya9G
-----END PGP SIGNATURE-----


More information about the arch-security mailing list