http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ee73f656a604d5aa9df86a97102e4e462dd79924

http://mirror.linux.org.au/linux/kernel/v2.6/ChangeLog-2.6.33

RHSA-2015:1507

RHSA-2015:1508

RHSA-2015:1512

DSA-3348

[oss-security] 20150625 Re: CVE request -- Linux kernel - kvm: x86: out-of-bounds memory access in pit_ioport_read function

75273

1032598

https://bugzilla.redhat.com/show_bug.cgi?id=1229640

https://github.com/torvalds/linux/commit/ee73f656a604d5aa9df86a97102e4e462dd79924

GLSA-201510-02

https://support.lenovo.com/product_security/qemu

https://support.lenovo.com/us/en/product_security/qemu

37990

[qemu-devel] 20150617 Re: [PATCH] i8254: fix out-of-bounds memory access in pit_ioport_read()

Updated qemu-kvm-rhev packages that fix two security issues are now available for Red Hat Enterprise Virtualization Hypervisor 7.

Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm-rhev package provides the user-space component for running virtual machines using KVM.

A heap buffer overflow flaw was found in the way QEMU's IDE subsystem handled I/O buffer access while processing certain ATAPI commands. A privileged guest user in a guest with the CDROM drive enabled could potentially use this flaw to execute arbitrary code on the host with the privileges of the host's QEMU process corresponding to the guest.
(CVE-2015-5154)

An out-of-bounds memory access flaw, leading to memory corruption or possibly an information leak, was found in QEMU's pit_ioport_read() function. A privileged guest user in a QEMU guest, which had QEMU PIT emulation enabled, could potentially, in rare cases, use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process. (CVE-2015-3214)

Red Hat would like to thank Matt Tait of Google's Project Zero security team for reporting the CVE-2015-3214 issue. The CVE-2015-5154 issue was discovered by Kevin Wolf of Red Hat.

All qemu-kvm-rhev users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.
After installing this update, shut down all running virtual machines.
Once all virtual machines have shut down, start them again for this update to take effect.

kvm was updated to fix 33 security issues.

These security issues were fixed :

  - CVE-2016-4439: Avoid OOB access in 53C9X emulation     (bsc#980711)

  - CVE-2016-4441: Avoid OOB access in 53C9X emulation     (bsc#980723)

  - CVE-2016-3710: Fixed VGA emulation based OOB access with     potential for guest escape (bsc#978158)

  - CVE-2016-3712: Fixed VGa emulation based DOS and OOB     read access exploit (bsc#978160)

  - CVE-2016-4037: Fixed USB ehci based DOS (bsc#976109)

  - CVE-2016-2538: Fixed potential OOB access in USB net     device emulation (bsc#967969)

  - CVE-2016-2841: Fixed OOB access / hang in ne2000     emulation (bsc#969350)

  - CVE-2016-2858: Avoid potential DOS when using QEMU     pseudo random number generator (bsc#970036)

  - CVE-2016-2857: Fixed OOB access when processing IP     checksums (bsc#970037)

  - CVE-2016-4001: Fixed OOB access in Stellaris enet     emulated nic (bsc#975128)

  - CVE-2016-4002: Fixed OOB access in MIPSnet emulated     controller (bsc#975136)

  - CVE-2016-4020: Fixed possible host data leakage to guest     from TPR access (bsc#975700)

  - CVE-2015-3214: Fixed OOB read in i8254 PIC (bsc#934069)

  - CVE-2014-9718: Fixed the handling of malformed or short     ide PRDTs to avoid any opportunity for guest to cause     DoS by abusing that interface (bsc#928393)

  - CVE-2014-3689: Fixed insufficient parameter validation     in rectangle functions (bsc#901508)

  - CVE-2014-3615: The VGA emulator in QEMU allowed local     guest users to read host memory by setting the display     to a high resolution (bsc#895528).

  - CVE-2015-5239: Integer overflow in vnc_client_read() and     protocol_client_msg() (bsc#944463).

  - CVE-2015-5278: Infinite loop in ne2000_receive()     function (bsc#945989).

  - CVE-2015-5279: Heap-based buffer overflow in the     ne2000_receive function in hw/net/ne2000.c in QEMU     allowed guest OS users to cause a denial of service     (instance crash) or possibly execute arbitrary code via     vectors related to receiving packets (bsc#945987).

  - CVE-2015-5745: Buffer overflow in virtio-serial     (bsc#940929).

  - CVE-2015-6855: hw/ide/core.c in QEMU did not properly     restrict the commands accepted by an ATAPI device, which     allowed guest users to cause a denial of service or     possibly have unspecified other impact via certain IDE     commands, as demonstrated by a WIN_READ_NATIVE_MAX     command to an empty drive, which triggers a     divide-by-zero error and instance crash (bsc#945404).

  - CVE-2015-7295: hw/virtio/virtio.c in the Virtual Network     Device (virtio-net) support in QEMU, when big or     mergeable receive buffers are not supported, allowed     remote attackers to cause a denial of service (guest     network consumption) via a flood of jumbo frames on the     (1) tuntap or (2) macvtap interface (bsc#947159).

  - CVE-2015-7549: PCI NULL pointer dereferences     (bsc#958917).

  - CVE-2015-8504: VNC floating point exception     (bsc#958491).

  - CVE-2015-8558: Infinite loop in ehci_advance_state     resulting in DoS (bsc#959005).

  - CVE-2015-8613: Wrong sized memset in megasas command     handler (bsc#961358).

  - CVE-2015-8619: Potential DoS for long HMP sendkey     command argument (bsc#960334).

  - CVE-2015-8743: OOB memory access in ne2000 ioport r/w     functions (bsc#960725).

  - CVE-2016-1568: AHCI use-after-free in aio port commands     (bsc#961332).

  - CVE-2016-1714: Potential OOB memory access in processing     firmware configuration (bsc#961691).

  - CVE-2016-1922: NULL pointer dereference when processing     hmp i/o command (bsc#962320).

  - CVE-2016-1981: Potential DoS (infinite loop) in e1000     device emulation by malicious privileged user within     guest (bsc#963782).

  - CVE-2016-2198: Malicious privileged guest user were able     to cause DoS by writing to read-only EHCI capabilities     registers (bsc#964413).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

qemu was updated to fix 37 security issues.

These security issues were fixed :

  - CVE-2016-4439: Avoid OOB access in 53C9X emulation     (bsc#980711)

  - CVE-2016-4441: Avoid OOB access in 53C9X emulation     (bsc#980723)

  - CVE-2016-4952: Avoid OOB access in Vmware PV SCSI     emulation (bsc#981266)

  - CVE-2015-8817: Avoid OOB access in PCI DMA I/O     (bsc#969121)

  - CVE-2015-8818: Avoid OOB access in PCI DMA I/O     (bsc#969122)

  - CVE-2016-3710: Fixed VGA emulation based OOB access with     potential for guest escape (bsc#978158)

  - CVE-2016-3712: Fixed VGa emulation based DOS and OOB     read access exploit (bsc#978160)

  - CVE-2016-4037: Fixed USB ehci based DOS (bsc#976109)

  - CVE-2016-2538: Fixed potential OOB access in USB net     device emulation (bsc#967969)

  - CVE-2016-2841: Fixed OOB access / hang in ne2000     emulation (bsc#969350)

  - CVE-2016-2858: Avoid potential DOS when using QEMU     pseudo random number generator (bsc#970036)

  - CVE-2016-2857: Fixed OOB access when processing IP     checksums (bsc#970037)

  - CVE-2016-4001: Fixed OOB access in Stellaris enet     emulated nic (bsc#975128)

  - CVE-2016-4002: Fixed OOB access in MIPSnet emulated     controller (bsc#975136)

  - CVE-2016-4020: Fixed possible host data leakage to guest     from TPR access (bsc#975700)

  - CVE-2015-3214: Fixed OOB read in i8254 PIC (bsc#934069)

  - CVE-2014-9718: Fixed the handling of malformed or short     ide PRDTs to avoid any opportunity for guest to cause     DoS by abusing that interface (bsc#928393)

  - CVE-2014-3689: Fixed insufficient parameter validation     in rectangle functions (bsc#901508)

  - CVE-2014-3615: The VGA emulator in QEMU allowed local     guest users to read host memory by setting the display     to a high resolution (bsc#895528).

  - CVE-2015-5239: Integer overflow in vnc_client_read() and     protocol_client_msg() (bsc#944463).

  - CVE-2015-5745: Buffer overflow in virtio-serial     (bsc#940929).

  - CVE-2015-7295: hw/virtio/virtio.c in the Virtual Network     Device (virtio-net) support in QEMU, when big or     mergeable receive buffers are not supported, allowed     remote attackers to cause a denial of service (guest     network consumption) via a flood of jumbo frames on the     (1) tuntap or (2) macvtap interface (bsc#947159).

  - CVE-2015-7549: PCI NULL pointer dereferences     (bsc#958917).

  - CVE-2015-8504: VNC floating point exception     (bsc#958491).

  - CVE-2015-8558: Infinite loop in ehci_advance_state     resulting in DoS (bsc#959005).

  - CVE-2015-8567: A guest repeatedly activating a vmxnet3     device can leak host memory (bsc#959386).

  - CVE-2015-8568: A guest repeatedly activating a vmxnet3     device can leak host memory (bsc#959386).

  - CVE-2015-8613: Wrong sized memset in megasas command     handler (bsc#961358).

  - CVE-2015-8619: Potential DoS for long HMP sendkey     command argument (bsc#960334).

  - CVE-2015-8743: OOB memory access in ne2000 ioport r/w     functions (bsc#960725).

  - CVE-2015-8744: Incorrect l2 header validation could have     lead to a crash via assert(2) call (bsc#960835).

  - CVE-2015-8745: Reading IMR registers could have lead to     a crash via assert(2) call (bsc#960708).

  - CVE-2016-1568: AHCI use-after-free in aio port commands     (bsc#961332).

  - CVE-2016-1714: Potential OOB memory access in processing     firmware configuration (bsc#961691).

  - CVE-2016-1922: NULL pointer dereference when processing     hmp i/o command (bsc#962320).

  - CVE-2016-1981: Potential DoS (infinite loop) in e1000     device emulation by malicious privileged user within     guest (bsc#963782).

  - CVE-2016-2198: Malicious privileged guest user were able     to cause DoS by writing to read-only EHCI capabilities     registers (bsc#964413).

This non-security issue was fixed

  - bsc#886378: qemu truncates vhd images in virt-rescue

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Petr Matousek of Red Hat Inc. reports :

Due converting PIO to the new memory read/write api we no longer provide separate I/O region lenghts for read and write operations. As a result, reading from PIT Mode/Command register will end with accessing pit->channels with invalid index and potentially cause memory corruption and/or minor information leak.

A privileged guest user in a guest with QEMU PIT emulation enabled could potentially (tough unlikely) use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process.

Please note that by default QEMU/KVM guests use in-kernel (KVM) PIT emulation and are thus not vulnerable to this issue.

The remote host is affected by the vulnerability described in GLSA-201510-02 (QEMU: Arbitrary code execution)

    Heap-based buffer overflow has been found in QEMU&rsquo;s PCNET controller.
  Impact :

    A remote attacker could execute arbitrary code via a specially crafted       packets.
  Workaround :

    There is no known workaround at this time.

Several vulnerabilities were discovered in qemu, a fast processor emulator.

  - CVE-2015-3214     Matt Tait of Google's Project Zero security team     discovered a flaw in the QEMU i8254 PIT emulation. A     privileged guest user in a guest with QEMU PIT emulation     enabled could potentially use this flaw to execute     arbitrary code on the host with the privileges of the     hosting QEMU process.

  - CVE-2015-5154     Kevin Wolf of Red Hat discovered a heap buffer overflow     flaw in the IDE subsystem in QEMU while processing     certain ATAPI commands. A privileged guest user in a     guest with the CDROM drive enabled could potentially use     this flaw to execute arbitrary code on the host with the     privileges of the hosting QEMU process.

  - CVE-2015-5165     Donghai Zhu discovered that the QEMU model of the     RTL8139 network card did not sufficiently validate     inputs in the C+ mode offload emulation, allowing a     malicious guest to read uninitialized memory from the     QEMU process's heap.

  - CVE-2015-5225     Mr Qinghao Tang from QIHU 360 Inc. and Mr Zuozhi from     Alibaba Inc discovered a buffer overflow flaw in the VNC     display driver leading to heap memory corruption. A     privileged guest user could use this flaw to mount a     denial of service (QEMU process crash), or potentially     to execute arbitrary code on the host with the     privileges of the hosting QEMU process.

  - CVE-2015-5745     A buffer overflow vulnerability was discovered in the     way QEMU handles the virtio-serial device. A malicious     guest could use this flaw to mount a denial of service     (QEMU process crash).

- Fix crash in qemu_spice_create_display (bz #1163047) *     CVE-2015-3209: pcnet: multi-tmd buffer overflow in the     tx path (bz #1230536) * CVE-2015-3214: i8254:
    out-of-bounds memory access (bz #1243728) *     CVE-2015-5154: ide: atapi: heap overflow during I/O     buffer memory access (bz #1247141) * CVE-2015-5745:
    buffer overflow in virtio-serial (bz #1251160) *     CVE-2015-5165: rtl8139 uninitialized heap memory     information leakage to guest (bz #1249755)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

- Rebased to version 2.4.0 * Support for virtio-gpu, 2D     only * Support for virtio-based keyboard/mouse/tablet     emulation * x86 support for memory hot-unplug

  - ACPI v5.1 table support for 'virt' board *     CVE-2015-3209: pcnet: multi-tmd buffer overflow in the     tx path (bz #1230536) * CVE-2015-3214: i8254: out-of-     bounds memory access (bz #1243728) * CVE-2015-5158: scsi     stack-based buffer overflow (bz #1246025) *     CVE-2015-5154: ide: atapi: heap overflow during I/O     buffer memory access (bz #1247141) * CVE-2015-5165:
    rtl8139 uninitialized heap memory information leakage to     guest (bz #1249755) * CVE-2015-5166: BlockBackend object     use after free issue (bz #1249758) * CVE-2015-5745:
    buffer overflow in virtio- serial (bz #1251160)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

- Rebased to version 2.3.1

    - Fix crash in qemu_spice_create_display (bz #1163047)

    - Fix qemu-img map crash for unaligned image (bz       #1229394)

    - CVE-2015-3209: pcnet: multi-tmd buffer overflow in the       tx path (bz #1230536)

    - CVE-2015-3214: i8254: out-of-bounds memory access (bz       #1243728)

    - CVE-2015-5158: scsi stack-based buffer overflow (bz       #1246025)

    - CVE-2015-5154: ide: atapi: heap overflow during I/O       buffer memory access (bz #1247141)

    - CVE-2015-5166: BlockBackend object use after free       issue (bz #1249758)

    - CVE-2015-5745: buffer overflow in virtio-serial (bz       #1251160)

    - CVE-2015-5165: rtl8139 uninitialized heap memory       information leakage to guest (bz #1249755)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Matt Tait discovered that QEMU incorrectly handled PIT emulation. In a non-default configuration, a malicious guest could use this issue to cause a denial of service, or possibly execute arbitrary code on the host as the user running the QEMU process. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2015-3214)

Kevin Wolf discovered that QEMU incorrectly handled processing ATAPI commands. A malicious guest could use this issue to cause a denial of service, or possibly execute arbitrary code on the host as the user running the QEMU process. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2015-5154)

Zhu Donghai discovered that QEMU incorrectly handled the SCSI driver.
A malicious guest could use this issue to cause a denial of service, or possibly execute arbitrary code on the host as the user running the QEMU process. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile.
This issue only affected Ubuntu 15.04. (CVE-2015-5158).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A heap buffer overflow flaw was found in the way QEMU's IDE subsystem handled I/O buffer access while processing certain ATAPI commands. A privileged guest user in a guest with the CDROM drive enabled could potentially use this flaw to execute arbitrary code on the host with the privileges of the host's QEMU process corresponding to the guest.
(CVE-2015-5154)

An out-of-bounds memory access flaw, leading to memory corruption or possibly an information leak, was found in QEMU's pit_ioport_read() function. A privileged guest user in a QEMU guest, which had QEMU PIT emulation enabled, could potentially, in rare cases, use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process. (CVE-2015-3214)

This update also fixes the following bug :

  - Due to an incorrect implementation of portable memory     barriers, the QEMU emulator in some cases terminated     unexpectedly when a virtual disk was under heavy I/O     load. This update fixes the implementation in order to     achieve correct synchronization between QEMU's threads.
    As a result, the described crash no longer occurs.

After installing this update, shut down all running virtual machines.
Once all virtual machines have shut down, start them again for this update to take effect.

Updated qemu-kvm packages that fix two security issues and one bug are now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM.

A heap buffer overflow flaw was found in the way QEMU's IDE subsystem handled I/O buffer access while processing certain ATAPI commands. A privileged guest user in a guest with the CDROM drive enabled could potentially use this flaw to execute arbitrary code on the host with the privileges of the host's QEMU process corresponding to the guest.
(CVE-2015-5154)

An out-of-bounds memory access flaw, leading to memory corruption or possibly an information leak, was found in QEMU's pit_ioport_read() function. A privileged guest user in a QEMU guest, which had QEMU PIT emulation enabled, could potentially, in rare cases, use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process. (CVE-2015-3214)

Red Hat would like to thank Matt Tait of Google's Project Zero security team for reporting the CVE-2015-3214 issue. The CVE-2015-5154 issue was discovered by Kevin Wolf of Red Hat.

This update also fixes the following bug :

* Due to an incorrect implementation of portable memory barriers, the QEMU emulator in some cases terminated unexpectedly when a virtual disk was under heavy I/O load. This update fixes the implementation in order to achieve correct synchronization between QEMU's threads. As a result, the described crash no longer occurs. (BZ#1233643)

All qemu-kvm users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.

From Red Hat Security Advisory 2015:1507 :

Updated qemu-kvm packages that fix two security issues and one bug are now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM.

A heap buffer overflow flaw was found in the way QEMU's IDE subsystem handled I/O buffer access while processing certain ATAPI commands. A privileged guest user in a guest with the CDROM drive enabled could potentially use this flaw to execute arbitrary code on the host with the privileges of the host's QEMU process corresponding to the guest.
(CVE-2015-5154)

An out-of-bounds memory access flaw, leading to memory corruption or possibly an information leak, was found in QEMU's pit_ioport_read() function. A privileged guest user in a QEMU guest, which had QEMU PIT emulation enabled, could potentially, in rare cases, use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process. (CVE-2015-3214)

Red Hat would like to thank Matt Tait of Google's Project Zero security team for reporting the CVE-2015-3214 issue. The CVE-2015-5154 issue was discovered by Kevin Wolf of Red Hat.

This update also fixes the following bug :

* Due to an incorrect implementation of portable memory barriers, the QEMU emulator in some cases terminated unexpectedly when a virtual disk was under heavy I/O load. This update fixes the implementation in order to achieve correct synchronization between QEMU's threads. As a result, the described crash no longer occurs. (BZ#1233643)

All qemu-kvm users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.

ID	Name	Product	Family	Severity
117306	RHEL 7 : qemu-kvm-rhev (RHSA-2015:1508)	Nessus	Red Hat Local Security Checks	high
93180	SUSE SLES11 Security Update : kvm (SUSE-SU-2016:1785-1)	Nessus	SuSE Local Security Checks	high
93169	SUSE SLES11 Security Update : kvm (SUSE-SU-2016:1698-1)	Nessus	SuSE Local Security Checks	high
91660	SUSE SLED12 / SLES12 Security Update : qemu (SUSE-SU-2016:1560-1)	Nessus	SuSE Local Security Checks	high
87702	FreeBSD : qemu -- code execution on host machine (aea8d90e-b0c1-11e5-8d13-bc5ff45d0f28)	Nessus	FreeBSD Local Security Checks	medium
86687	GLSA-201510-02 : QEMU: Arbitrary code execution	Nessus	Gentoo Local Security Checks	high
85754	Debian DSA-3348-1 : qemu - security update	Nessus	Debian Local Security Checks	high
85727	Fedora 21 : qemu-2.1.3-9.fc21 (2015-13404)	Nessus	Fedora Local Security Checks	high
85592	Fedora 23 : qemu-2.4.0-1.fc23 (2015-13358)	Nessus	Fedora Local Security Checks	high
85480	Fedora 22 : qemu-2.3.1-1.fc22 (2015-13402)	Nessus	Fedora Local Security Checks	high
85080	Ubuntu 14.04 LTS / 15.04 : qemu vulnerabilities (USN-2692-1)	Nessus	Ubuntu Local Security Checks	high
85072	Scientific Linux Security Update : qemu-kvm on SL7.x x86_64 (20150727)	Nessus	Scientific Linux Local Security Checks	high
85040	RHEL 7 : qemu-kvm (RHSA-2015:1507)	Nessus	Red Hat Local Security Checks	high
85035	Oracle Linux 7 : qemu-kvm (ELSA-2015-1507)	Nessus	Oracle Linux Local Security Checks	high
85030	CentOS 7 : qemu-kvm (CESA-2015:1507)	Nessus	CentOS Local Security Checks	high

CVE-2015-3214

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins