openSUSE-SU-2016:3237

[oss-security] 20161014 CVE request Qemu: net: OOB buffer access in rocker switch emulation

[oss-security] 20161015 Re: CVE request Qemu: net: OOB buffer access in rocker switch emulation

93566

[qemu-devel] 20161012 [PATCH] net: rocker: set limit to DMA buffer size

GLSA-201611-11

- CVE-2016-6836: vmxnet: Information leakage in     vmxnet3_complete_packet (bz #1366370)

  - CVE-2016-7909: pcnet: Infinite loop in pcnet_rdra_addr     (bz #1381196)

  - CVE-2016-7994: virtio-gpu: memory leak in     resource_create_2d (bz #1382667)

  - CVE-2016-8577: 9pfs: host memory leakage in v9fs_read     (bz #1383286)

  - CVE-2016-8578: 9pfs: potential NULL dereferencein 9pfs     routines (bz #1383292)

  - CVE-2016-8668: OOB buffer access in rocker switch     emulation (bz #1384898)

  - CVE-2016-8669: divide by zero error in     serial_update_parameters (bz #1384911)

  - CVE-2016-8910: rtl8139: infinite loop while transmit in     C+ mode (bz #1388047)

  - CVE-2016-8909: intel-hda: infinite loop in dma buffer     stream (bz #1388053)

  - Infinite loop vulnerability in a9_gtimer_update (bz     #1388300)

  - CVE-2016-9101: eepro100: memory leakage at device unplug     (bz #1389539)

  - CVE-2016-9103: 9pfs: information leakage via xattr (bz     #1389643)

  - CVE-2016-9102: 9pfs: memory leakage when creating     extended attribute (bz #1389551)

  - CVE-2016-9104: 9pfs: integer overflow leading to OOB     access (bz #1389687)

  - CVE-2016-9105: 9pfs: memory leakage in v9fs_link (bz     #1389704)

  - CVE-2016-9106: 9pfs: memory leakage in v9fs_write (bz     #1389713)

  - CVE-2016-9381: xen: incautious about shared ring     processing (bz #1397385)

  - CVE-2016-9921: Divide by zero vulnerability in     cirrus_do_copy (bz #1399054)

  - CVE-2016-9776: infinite loop while receiving data in     mcf_fec_receive (bz #1400830)

  - CVE-2016-9845: information leakage in     virgl_cmd_get_capset_info (bz #1402247)

  - CVE-2016-9846: virtio-gpu: memory leakage while updating     cursor data (bz #1402258)

  - CVE-2016-9907: usbredir: memory leakage when destroying     redirector (bz #1402266)

  - CVE-2016-9911: usb: ehci: memory leakage in     ehci_init_transfer (bz #1402273)

  - CVE-2016-9913: 9pfs: memory leakage via proxy/handle     callbacks (bz #1402277)

  - CVE-2016-10028: virtio-gpu-3d: OOB access while reading     virgl capabilities (bz #1406368)

  - CVE-2016-9908: virtio-gpu: information leakage in     virgl_cmd_get_capset (bz #1402263)

  - CVE-2016-9912: virtio-gpu: memory leakage when     destroying gpu resource (bz #1402285)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

- CVE-2016-6836: vmxnet: Information leakage in     vmxnet3_complete_packet (bz #1366370)

  - CVE-2016-7909: pcnet: Infinite loop in pcnet_rdra_addr     (bz #1381196)

  - CVE-2016-7994: virtio-gpu: memory leak in     resource_create_2d (bz #1382667)

  - CVE-2016-8577: 9pfs: host memory leakage in v9fs_read     (bz #1383286)

  - CVE-2016-8578: 9pfs: potential NULL dereferencein 9pfs     routines (bz #1383292)

  - CVE-2016-8668: OOB buffer access in rocker switch     emulation (bz #1384898)

  - CVE-2016-8669: divide by zero error in     serial_update_parameters (bz #1384911)

  - CVE-2016-8909: intel-hda: infinite loop in dma buffer     stream (bz #1388053)

  - Infinite loop vulnerability in a9_gtimer_update (bz     #1388300)

  - CVE-2016-9101: eepro100: memory leakage at device unplug     (bz #1389539)

  - CVE-2016-9103: 9pfs: information leakage via xattr (bz     #1389643)

  - CVE-2016-9102: 9pfs: memory leakage when creating     extended attribute (bz #1389551)

  - CVE-2016-9104: 9pfs: integer overflow leading to OOB     access (bz #1389687)

  - CVE-2016-9105: 9pfs: memory leakage in v9fs_link (bz     #1389704)

  - CVE-2016-9106: 9pfs: memory leakage in v9fs_write (bz     #1389713)

  - CVE-2016-9381: xen: incautious about shared ring     processing (bz #1397385)

  - CVE-2016-9921: Divide by zero vulnerability in     cirrus_do_copy (bz #1399054)

  - CVE-2016-9776: infinite loop while receiving data in     mcf_fec_receive (bz #1400830)

  - CVE-2016-9845: information leakage in     virgl_cmd_get_capset_info (bz #1402247)

  - CVE-2016-9846: virtio-gpu: memory leakage while updating     cursor data (bz #1402258)

  - CVE-2016-9907: usbredir: memory leakage when destroying     redirector (bz #1402266)

  - CVE-2016-9911: usb: ehci: memory leakage in     ehci_init_transfer (bz #1402273)

  - CVE-2016-9913: 9pfs: memory leakage via proxy/handle     callbacks (bz #1402277)

  - CVE-2016-10028: virtio-gpu-3d: OOB access while reading     virgl capabilities (bz #1406368)

  - CVE-2016-9908: virtio-gpu: information leakage in     virgl_cmd_get_capset (bz #1402263)

  - CVE-2016-9912: virtio-gpu: memory leakage when     destroying gpu resource (bz #1402285)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for qemu to version 2.6.2 fixes the several issues.

These security issues were fixed :

  - CVE-2016-7161: Heap-based buffer overflow in the     .receive callback of xlnx.xps-ethernetlite in QEMU (aka     Quick Emulator) allowed attackers to execute arbitrary     code on the QEMU host via a large ethlite packet     (bsc#1001151).

  - CVE-2016-7170: OOB stack memory access when processing     svga command (bsc#998516).

  - CVE-2016-7466: xhci memory leakage during device unplug     (bsc#1000345).

  - CVE-2016-7422: NULL pointer dereference in     virtqueu_map_desc (bsc#1000346).

  - CVE-2016-7908: The mcf_fec_do_tx function in     hw/net/mcf_fec.c did not properly limit the buffer     descriptor count when transmitting packets, which     allowed local guest OS administrators to cause a denial     of service (infinite loop and QEMU process crash) via     vectors involving a buffer descriptor with a length of 0     and crafted values in bd.flags (bsc#1002550).

  - CVE-2016-7995: Memory leak in ehci_process_itd     (bsc#1003612).

  - CVE-2016-8576: The xhci_ring_fetch function in     hw/usb/hcd-xhci.c allowed local guest OS administrators     to cause a denial of service (infinite loop and QEMU     process crash) by leveraging failure to limit the number     of link Transfer Request Blocks (TRB) to process     (bsc#1003878).

  - CVE-2016-8578: The v9fs_iov_vunmarshal function in     fsdev/9p-iov-marshal.c allowed local guest OS     administrators to cause a denial of service (NULL     pointer dereference and QEMU process crash) by sending     an empty string parameter to a 9P operation     (bsc#1003894).

  - CVE-2016-9105: Memory leakage in v9fs_link     (bsc#1007494).

  - CVE-2016-8577: Memory leak in the v9fs_read function in     hw/9pfs/9p.c allowed local guest OS administrators to     cause a denial of service (memory consumption) via     vectors related to an I/O read operation (bsc#1003893).

  - CVE-2016-9106: Memory leakage in v9fs_write     (bsc#1007495).

  - CVE-2016-8669: The serial_update_parameters function in     hw/char/serial.c allowed local guest OS administrators     to cause a denial of service (divide-by-zero error and     QEMU process crash) via vectors involving a value of     divider greater than baud base (bsc#1004707).

  - CVE-2016-7909: The pcnet_rdra_addr function in     hw/net/pcnet.c allowed local guest OS administrators to     cause a denial of service (infinite loop and QEMU     process crash) by setting the (1) receive or (2)     transmit descriptor ring length to 0 (bsc#1002557).

  - CVE-2016-9101: eepro100 memory leakage whern unplugging     a device (bsc#1007391).

  - CVE-2016-8668: The rocker_io_writel function in     hw/net/rocker/rocker.c allowed local guest OS     administrators to cause a denial of service     (out-of-bounds read and QEMU process crash) by     leveraging failure to limit DMA buffer size     (bsc#1004706).

  - CVE-2016-8910: The rtl8139_cplus_transmit function in     hw/net/rtl8139.c allowed local guest OS administrators     to cause a denial of service (infinite loop and CPU     consumption) by leveraging failure to limit the ring     descriptor count (bsc#1006538).

  - CVE-2016-8909: The intel_hda_xfer function in     hw/audio/intel-hda.c allowed local guest OS     administrators to cause a denial of service (infinite     loop and CPU consumption) via an entry with the same     value for buffer length and pointer position     (bsc#1006536).

  - CVE-2016-7994: Memory leak in     virtio_gpu_resource_create_2d (bsc#1003613).

  - CVE-2016-9104: Integer overflow leading to OOB access in     9pfs (bsc#1007493).

  - CVE-2016-8667: The rc4030_write function in     hw/dma/rc4030.c allowed local guest OS administrators to     cause a denial of service (divide-by-zero error and QEMU     process crash) via a large interval timer reload value     (bsc#1004702).

  - CVE-2016-7907: The pcnet_rdra_addr function in     hw/net/pcnet.c allowed local guest OS administrators to     cause a denial of service (infinite loop and QEMU     process crash) by setting the (1) receive or (2)     transmit descriptor ring length to 0 (bsc#1002549).

These non-security issues were fixed :

  - Change kvm-supported.txt to be per-architecture     documentation, stored in the package documentation     directory of each per-arch package (bsc#1005353).

  - Update support doc to include current ARM64 (AArch64)     support stance (bsc#1005374).

  - Fix migration failure when snapshot also has been done     (bsc#1008148).

  - Change package post script udevadm trigger calls to be     device specific (bsc#1002116).

  - Add qmp-commands.txt documentation file back in. It was     inadvertently dropped.

  - Add an x86 cpu option (l3-cache) to specify that an L3     cache is present and another option (cpuid-0xb) to     enable the cpuid 0xb leaf (bsc#1007769).

This update was imported from the SUSE:SLE-12-SP2:Update update project.

This update for qemu to version 2.6.2 fixes the several issues. These security issues were fixed :

  - CVE-2016-7161: Heap-based buffer overflow in the     .receive callback of xlnx.xps-ethernetlite in QEMU (aka     Quick Emulator) allowed attackers to execute arbitrary     code on the QEMU host via a large ethlite packet     (bsc#1001151).

  - CVE-2016-7170: OOB stack memory access when processing     svga command (bsc#998516).

  - CVE-2016-7466: xhci memory leakage during device unplug     (bsc#1000345).

  - CVE-2016-7422: NULL pointer dereference in     virtqueu_map_desc (bsc#1000346).

  - CVE-2016-7908: The mcf_fec_do_tx function in     hw/net/mcf_fec.c did not properly limit the buffer     descriptor count when transmitting packets, which     allowed local guest OS administrators to cause a denial     of service (infinite loop and QEMU process crash) via     vectors involving a buffer descriptor with a length of 0     and crafted values in bd.flags (bsc#1002550).

  - CVE-2016-7995: Memory leak in ehci_process_itd     (bsc#1003612).

  - CVE-2016-8576: The xhci_ring_fetch function in     hw/usb/hcd-xhci.c allowed local guest OS administrators     to cause a denial of service (infinite loop and QEMU     process crash) by leveraging failure to limit the number     of link Transfer Request Blocks (TRB) to process     (bsc#1003878).

  - CVE-2016-8578: The v9fs_iov_vunmarshal function in     fsdev/9p-iov-marshal.c allowed local guest OS     administrators to cause a denial of service (NULL     pointer dereference and QEMU process crash) by sending     an empty string parameter to a 9P operation     (bsc#1003894).

  - CVE-2016-9105: Memory leakage in v9fs_link     (bsc#1007494).

  - CVE-2016-8577: Memory leak in the v9fs_read function in     hw/9pfs/9p.c allowed local guest OS administrators to     cause a denial of service (memory consumption) via     vectors related to an I/O read operation (bsc#1003893).

  - CVE-2016-9106: Memory leakage in v9fs_write     (bsc#1007495).

  - CVE-2016-8669: The serial_update_parameters function in     hw/char/serial.c allowed local guest OS administrators     to cause a denial of service (divide-by-zero error and     QEMU process crash) via vectors involving a value of     divider greater than baud base (bsc#1004707).

  - CVE-2016-7909: The pcnet_rdra_addr function in     hw/net/pcnet.c allowed local guest OS administrators to     cause a denial of service (infinite loop and QEMU     process crash) by setting the (1) receive or (2)     transmit descriptor ring length to 0 (bsc#1002557).

  - CVE-2016-9101: eepro100 memory leakage whern unplugging     a device (bsc#1007391).

  - CVE-2016-8668: The rocker_io_writel function in     hw/net/rocker/rocker.c allowed local guest OS     administrators to cause a denial of service     (out-of-bounds read and QEMU process crash) by     leveraging failure to limit DMA buffer size     (bsc#1004706).

  - CVE-2016-8910: The rtl8139_cplus_transmit function in     hw/net/rtl8139.c allowed local guest OS administrators     to cause a denial of service (infinite loop and CPU     consumption) by leveraging failure to limit the ring     descriptor count (bsc#1006538).

  - CVE-2016-8909: The intel_hda_xfer function in     hw/audio/intel-hda.c allowed local guest OS     administrators to cause a denial of service (infinite     loop and CPU consumption) via an entry with the same     value for buffer length and pointer position     (bsc#1006536).

  - CVE-2016-7994: Memory leak in     virtio_gpu_resource_create_2d (bsc#1003613).

  - CVE-2016-9104: Integer overflow leading to OOB access in     9pfs (bsc#1007493).

  - CVE-2016-8667: The rc4030_write function in     hw/dma/rc4030.c allowed local guest OS administrators to     cause a denial of service (divide-by-zero error and QEMU     process crash) via a large interval timer reload value     (bsc#1004702).

  - CVE-2016-7907: The pcnet_rdra_addr function in     hw/net/pcnet.c allowed local guest OS administrators to     cause a denial of service (infinite loop and QEMU     process crash) by setting the (1) receive or (2)     transmit descriptor ring length to 0 (bsc#1002549).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201611-11 (QEMU: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in QEMU. Please review the       CVE identifiers referenced below for details.
  Impact :

    A privileged user /process within a guest QEMU environment can cause a       Denial of Service condition against the QEMU guest process or the host.
  Workaround :

    There is no known workaround at this time.

Zhenhao Hong discovered that QEMU incorrectly handled the Virtio module. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources, resulting in a denial of service.
(CVE-2016-5403)

Li Qiang discovered that QEMU incorrectly handled VMWARE VMXNET3 network card emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-6833, CVE-2016-6834, CVE-2016-6888)

Li Qiang discovered that QEMU incorrectly handled VMWARE VMXNET3 network card emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-6835)

Li Qiang discovered that QEMU incorrectly handled VMWARE VMXNET3 network card emulation support. A privileged attacker inside the guest could use this issue to possibly to obtain sensitive host memory. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-6836)

Felix Wilhelm discovered that QEMU incorrectly handled Plan 9 File System (9pfs) support. A privileged attacker inside the guest could use this issue to possibly to obtain sensitive host files.
(CVE-2016-7116)

Li Qiang and Tom Victor discovered that QEMU incorrectly handled VMWARE PVSCSI paravirtual SCSI bus emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-7155)

Li Qiang discovered that QEMU incorrectly handled VMWARE PVSCSI paravirtual SCSI bus emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-7156, CVE-2016-7421)

Tom Victor discovered that QEMU incorrectly handled LSI SAS1068 host bus emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 16.10. (CVE-2016-7157)

Hu Chaojian discovered that QEMU incorrectly handled xlnx.xps-ethernetlite emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2016-7161)

Qinghao Tang and Li Qiang discovered that QEMU incorrectly handled the VMware VGA module. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.
(CVE-2016-7170)

Qinghao Tang and Zhenhao Hong discovered that QEMU incorrectly handled the Virtio module. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.
This issue only affected Ubuntu 16.10. (CVE-2016-7422)

Li Qiang discovered that QEMU incorrectly handled LSI SAS1068 host bus emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.
This issue only affected Ubuntu 16.10. (CVE-2016-7423)

Li Qiang discovered that QEMU incorrectly handled USB xHCI controller emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.
This issue only affected Ubuntu 16.04 LTS and Ubuntu 16.10.
(CVE-2016-7466)

Li Qiang discovered that QEMU incorrectly handled ColdFire Fast Ethernet Controller emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-7908)

Li Qiang discovered that QEMU incorrectly handled AMD PC-Net II emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.
(CVE-2016-7909)

Li Qiang discovered that QEMU incorrectly handled the Virtio GPU support. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources, resulting in a denial of service.
This issue only affected Ubuntu 16.04 LTS and Ubuntu 16.10.
(CVE-2016-7994)

Li Qiang discovered that QEMU incorrectly handled USB EHCI emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources, resulting in a denial of service.
This issue only affected Ubuntu 16.10. (CVE-2016-7995)

Li Qiang discovered that QEMU incorrectly handled USB xHCI controller support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10.
(CVE-2016-8576)

Li Qiang discovered that QEMU incorrectly handled Plan 9 File System (9pfs) support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-8577, CVE-2016-8578)

It was discovered that QEMU incorrectly handled Rocker switch emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.
This issue only affected Ubuntu 16.04 LTS and Ubuntu 16.10.
(CVE-2016-8668)

It was discovered that QEMU incorrectly handled Intel HDA controller emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources, resulting in a denial of service. (CVE-2016-8909)

Andrew Henderson discovered that QEMU incorrectly handled RTL8139 ethernet controller emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources, resulting in a denial of service. (CVE-2016-8910)

Li Qiang discovered that QEMU incorrectly handled Intel i8255x ethernet controller emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources, resulting in a denial of service. (CVE-2016-9101)

Li Qiang discovered that QEMU incorrectly handled Plan 9 File System (9pfs) support. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources, resulting in a denial of service. (CVE-2016-9102, CVE-2016-9104, CVE-2016-9105)

Li Qiang discovered that QEMU incorrectly handled Plan 9 File System (9pfs) support. A privileged attacker inside the guest could use this issue to possibly to obtain sensitive host memory. (CVE-2016-9103)

Li Qiang discovered that QEMU incorrectly handled Plan 9 File System (9pfs) support. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-9106).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
96782	Fedora 24 : 2:qemu (2017-12394e2cc7)	Nessus	Fedora Local Security Checks	medium
96677	Fedora 25 : 2:qemu (2017-b953d4d3a4)	Nessus	Fedora Local Security Checks	medium
96129	openSUSE Security Update : qemu (openSUSE-2016-1504)	Nessus	SuSE Local Security Checks	critical
95283	SUSE SLED12 / SLES12 Security Update : qemu (SUSE-SU-2016:2879-1)	Nessus	SuSE Local Security Checks	critical
95018	GLSA-201611-11 : QEMU: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
94669	Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 : qemu, qemu-kvm vulnerabilities (USN-3125-1)	Nessus	Ubuntu Local Security Checks	critical

CVE-2016-8668

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins