Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <20160523173303.042486C0718@smtpvmsrv1.mitre.org>
Date: Mon, 23 May 2016 13:33:03 -0400 (EDT)
From: cve-assign@...re.org
To: ppandit@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, liqiang6-s@....cn
Subject: Re: CVE request: Qemu: scsi: pvscsi: out-of-bounds access issue in pvsci_ring_init_msg/data routines

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> Quick Emulator(Qemu) built with the VMWARE PVSCSI paravirtual SCSI bus
> emulation support is vulnerable to an OOB r/w access issue. It could occur
> while processing SCSI commands 'PVSCSI_CMD_SETUP_RINGS' or
> 'PVSCSI_CMD_SETUP_MSG_RING'.
> 
> A privileged user inside guest could use this flaw to crash the Qemu process
> resulting in DoS.
> 
> https://lists.gnu.org/archive/html/qemu-devel/2016-05/msg03774.html

>> Vmware Paravirtual SCSI emulation uses command descriptors to
>> process SCSI commands. These descriptors come with their ring
>> buffers. A guest could set the ring buffer size to an arbitrary
>> value leading to OOB access issue. Add check to avoid it.

Use CVE-2016-4952.

This is not yet available at
http://git.qemu.org/?p=qemu.git;a=history;f=hw/scsi/vmw_pvscsi.c but
that may be an expected place for a later update.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXQz5SAAoJEHb/MwWLVhi2csUP/0e0mBl7EgwbVigNAvU8UUWD
MoA509vJm8qAw34v8A7tOnmDxOM89aW7z5RDPEWScw+mjHJEf39bW5Ibrvn56Gy/
IvHcS9At+stv00zqSdhAFD3sCVUqLvU3ybt+3+gu5m/4teCc+llO/72T+xLYIiwE
H8lQnZdxuSRIXeyU4gbAIlPDLLqguTjNVuma1Cu+G6S5ka4h7EUJpPz2UyJotOw/
T9B8jklo0aR3odLiYuZ97I49yky2jAqWznYUAIasriKbG0ahdBvSjEy4aa93FLSM
eWffJVwgxX5YFNMjr0M8AnMP5/1VQZFQz4mbLpAE7rb4/sry2wb7t7/6gBTFnfvD
xEruol3jgBqtIsAqfldkP2u9hPWVzJO+yIpqpUkGUWg2b00jadLIb4CJcSWSeVbo
h9YH3IgX7yCwAorT4YoQ6PEtrgiXHjief1208tVKa25gwyHERLuc1VSmsAimXedI
qdFlK7onHAgKMNoymiGtcuSWUQc06F/SJXcSCUFO3UBnS2Yki65WjS6hdWlaaLyJ
hPowD8PJDZv47h+slMPAjKUUEVHNB5e0Pbsk+ig7LMbq4k8tQsHzWH32oXznwRvL
pk6TmROU3CVQsBmdhfsMSR9pvg6GQQAA7BCoEt9jLjxS76n09JWblQP28qeZSZQ0
oshueEI3i19JNzNIIbc8
=KEBo
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.