Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20170910195431.fvcvbo24su3zkl3n@eldamar.local>
Date: Sun, 10 Sep 2017 21:54:31 +0200
From: Salvatore Bonaccorso <carnil@...ian.org>
To: oss-security@...ts.openwall.com
Cc: David Buchanan <d@...buchanan.co.uk>, Michael Tokarev <mjt@....msk.ru>
Subject: Re: CVE-2017-13673 Qemu: vga: reachable assert
 failure during during display update

Hi!

On Wed, Aug 30, 2017 at 03:34:51PM +0530, P J P wrote:
>   Hello,
> 
> Quick emulator(Qemu) built with the VGA display emulator support is
> vulnerable to an assert failure issue. It could occur while updating
> graphics display, due to miscalculating region for dirty bitmap snapshot in
> split screen mode.
> 
> A privileged user/process inside guest could use this flaw to crash the Qemu
> process on the host resulting in DoS.
> 
> Upstream patch:
> ---------------
>   -> https://lists.gnu.org/archive/html/qemu-devel/2017-08/msg04685.html
> 
> Reference:
> ----------
>   -> https://bugzilla.redhat.com/show_bug.cgi?id=1486588
> 
> This issue was reported by David Buchanan.

Can you clarify the affected versions? I noticed while looking at the
above, that MITRE description mentions "Qemu 2.8.0 through 2.9.0". I
perfectly realize those does not come from the above.  As far as I can
see, e.g. cpu_physical_memory_snapshot_get_dirty was only introduced
in v2.10.0-rc0. The upstream commit associated with the above issue
is:

 https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=bfc56535f793c557aa754c50213fc5f882e6482d

which fixes

 https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=fec5e8c92becad223df9d972770522f64aafdb72

introducing the use of dirty bitmap snapshots in vga_draw_graphic().

Do I miss something makeing it affecting as well earlier versions than
2.10?

Regards and thanks already for your help,
Salvatore

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.