Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <20160116165153.8AD7F6C035C@smtpvmsrv1.mitre.org>
Date: Sat, 16 Jan 2016 11:51:53 -0500 (EST)
From: cve-assign@...re.org
To: ppandit@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, liuling-it@....cn
Subject: Re: CVE request Qemu: i386: null pointer dereference in vapic_write

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> Qemu emulator built with the TPR optimization for 32-bit Windows guests 
> support is vulnerable to a null pointer dereference flaw. It occurs while 
> doing I/O port write operations via hmp interface. In that, 'current_cpu' 
> remains null, which leads to the null pointer dereference.
> 
> A user/process could use this flaw to crash the Qemu instance, resulting in 
> DoS issue.
> 
> https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg02812.html
> https://bugzilla.redhat.com/show_bug.cgi?id=1283934

>> When I/O port write operation is called from hmp interface,
>> 'current_cpu' remains null, as it is not called from cpu_exec()
>> loop. This leads to a null pointer dereference in vapic_write
>> routine. Add check to avoid it.

Use CVE-2016-1922.     

This is not yet available at
http://git.qemu.org/?p=qemu.git;a=history;f=hw/i386/kvmvapic.c but
that may be an expected place for a later update.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWmnRUAAoJEL54rhJi8gl59noQAM/vSEILhzHjyInIECRi5Pa3
AeMkMitYWVwKxLxy3J6iwItsF3BD6LcpvGHFo0U7v8dhln5vISQIUydx4TojPbtN
KxF1H8rmpWmf4iJGYaryfqi4frgyUOw1LVzaHKdPSMh4C9EKHE3hiJ2kDOa/6J44
1VrsmQNjvElfeMMYdlNI7FU1/5MY6HnBGzumu+gjqmdOl/Nz4BzzCMxfUmW7zAIL
X6DYMReMrSfuSNXUUmwJW5L5VcWQGE90OBSA8izMMtTfvHvGeaTy/iNHwVQncjrw
oBUpxqstKaAnW0CjuCUefzYQDX0XbXBtgRV5pzIwWg0Kc7WHBz7PrbEDSfHt0Tm7
N34cM+52zlsuqKo2tvewV+YC4KcvXI1albAxOkt6GNvUK0njhA/H8kykh1UqaSGx
PvhzZkryc9qD/mgZwpsFLgvNQ257/mwANHwc1F7FtjD3r8YH7Jh+A9EoX26ROKdQ
AuDNZ3NyfemH6qYvEnmKFuxTyBvM/xB7kLA1pF59rdfWizgSJ2Ceuq2wqKTHdfrZ
38UPE+X8T6i+z+HEg3kqITuCCe+npMUeDbWUiP0kSw6wYL0OX/SsvtfnNSWAGVZJ
z477+jMpuUGPspK+rwRbkYvE/xHH1XnbT3rAA/1irXcvGnetlb1nAFPx0Fx06JxZ
mD1djrzjFtIrW5WGftT1
=ZYwp
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.