|
Message-Id: <20160907005443.AF3AB6C5469@smtpvmsrv1.mitre.org> Date: Tue, 6 Sep 2016 20:54:43 -0400 (EDT) From: cve-assign@...re.org To: ppandit@...hat.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, liqiang6-s@....cn Subject: Re: CVE request: Qemu: scsi: pvscsi: infintie loop when building SG list -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > Quick Emulator(Qemu) built with the VMWARE PVSCSI paravirtual SCSI bus > emulation support is vulnerable to an infinite loop issue. It could occur > while processing an IO request descriptor, building SG list. > > A privileged user inside guest could use this flaw to crash the Qemu process > resulting in DoS. > > https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg00772.html > https://bugzilla.redhat.com/show_bug.cgi?id=1373478 >> In PVSCSI paravirtual SCSI bus, the request descriptor data >> length is defined to be 64 bit. While building SG list from >> a request descriptor, it gets truncated to 32bit in routine >> 'pvscsi_convert_sglist'. This could lead to an infinite loop >> situation for arbitrarily large 'dataLen' values. Check >> SG list element count to avoid it. Use CVE-2016-7156. This is not yet available at http://git.qemu.org/?p=qemu.git;a=history;f=hw/scsi/vmw_pvscsi.c but that may be an expected place for a later update. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJXz2NGAAoJEHb/MwWLVhi2qM8P+gKKm8ns+cMWH6cCcT+M7Izh G3uH1T2Kgz+8JhXDAKAyYrCnPXFkrAHULGX8RYmZJ8pDeKpNfqcF6NIz8TqaF+e2 1HHDKX7NsSn3ODL3KI0JdAq1nfQ4leut0h+6OQnAbUAVJJGplWNPfRd2eIqfOUHv /Ew51J6R6oEaVV/+QL8PYNz/7U2MbmlrH56Pj4v3pqzeEc4MJgkX5EcGc01n/vZd /ir6HjirzTajWsAoOZqRiQ9euentjOGwsTPIxCQ4v+MKWFdU+AdMonpoKic6dQj+ IuVQA0y59pkcXxfcWOhGghanCYh3hvnrSWUtL/PDeUSufyAwKJaVoo/IPKtwZVMW PrsaxfPTzlYzwHc0usJPuMWjEytf9mWNU0jX/84tMNakTFLYXcCsAl9tH5iHmiVp MIvAACVTQSQ7qx6s4UTz5PLbln1kZ3E5ZsXEv5rTZktwQ+2FDl31nuNLKZckYxKw 6bz4BHFO0FYmFU0TNjVIGfOypGh4ctX1N4pj9tAx87fk7+qT+LXDeNUztkW0nsdM 7zMI193LH+SzTcDH0B7Fkyeg2K8CmqPnctaRdhHo/man9i/MEZUiYn3Skk+AhJd/ yr3bwK5I1stfSSglp+uzjzLNZUQmg9sOA0aJrCddaQzyiNitusVDSCW6AKruBzln 1pxmVAwD3Eyefat/NQi8 =DZ2t -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.