105866

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16847

https://lists.gnu.org/archive/html/qemu-devel/2018-11/msg00200.html

USN-3826-1

[oss-security] 20181102 CVE-2018-16847 QEMU: nvme: Out-of-bounds r/w buffer access in cmb operations

According to the versions of the qemu package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - tftp.c in libslirp 4.1.0, as used in QEMU 4.2.0, does     not prevent ..\ directory traversal on     Windows.(CVE-2020-7211)

  - interface_release_resource in hw/display/qxl.c in QEMU     4.0.0 has a NULL pointer dereference.(CVE-2019-12155)

  - QEMU 3.0.0 has an Integer Overflow because the     qga/commands*.c files do not check the length of the     argument list or the number of environment variables.
    NOTE: This has been disputed as not     exploitable.(CVE-2019-12247)

  - qemu-bridge-helper.c in QEMU 4.0.0 does not ensure that     a network interface name (obtained from bridge.conf or     a --br=bridge option) is limited to the IFNAMSIZ size,     which can lead to an ACL bypass.(CVE-2019-13164)

  - ip_reass in ip_input.c in libslirp 4.0.0 has a     heap-based buffer overflow via a large packet because     it mishandles a case involving the first     fragment.(CVE-2019-14378)

  - An issue was discovered in ide_dma_cb() in     hw/ide/core.c in QEMU 2.4.0 through 4.2.0. The guest     system can crash the QEMU process in the host system     via a special SCSI_IOCTL_SEND_COMMAND. It hits an     assertion that implies that the size of successful DMA     transfers there must be a multiple of 512 (the size of     a sector). NOTE: a member of the QEMU security team     disputes the significance of this issue because a     'privileged guest user has many ways to cause similar     DoS effect, without triggering this     assert.'(CVE-2019-20175)

  - hw/sparc64/sun4u.c in QEMU 3.1.50 is vulnerable to a     NULL pointer dereference, which allows the attacker to     cause a denial of service via a device     driver.(CVE-2019-5008)

  - An OOB heap buffer r/w access issue was found in the     NVM Express Controller emulation in QEMU. It could     occur in nvme_cmb_ops routines in nvme device. A guest     user/process could use this flaw to crash the QEMU     process resulting in DoS or potentially run arbitrary     code with privileges of the QEMU     process.(CVE-2018-16847)

  - hw/rdma/vmw/pvrdma_cmd.c in QEMU allows attackers to     cause a denial of service (NULL pointer dereference or     excessive memory allocation) in create_cq_ring or     create_qp_rings.(CVE-2018-20125)

  - QEMU can have an infinite loop in     hw/rdma/vmw/pvrdma_dev_ring.c because return values are     not checked (and -1 is mishandled).(CVE-2018-20216)

  - The load_multiboot function in hw/i386/multiboot.c in     Quick Emulator (aka QEMU) allows local guest OS users     to execute arbitrary code on the QEMU host via a     mh_load_end_addr value greater than mh_bss_end_addr,     which triggers an out-of-bounds read or write memory     access.(CVE-2018-7550)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for qemu fixes the following issues :

Security issues fixed :

  - CVE-2018-10839: Fixed NE2000 NIC emulation support that     is vulnerable to an integer overflow, which could lead     to buffer overflow issue. It could occur when receiving     packets over the network. A user inside guest could use     this flaw to crash the Qemu process resulting in DoS     (bsc#1110910).

  - CVE-2018-15746: Fixed qemu-seccomp.c that might allow     local OS guest users to cause a denial of service (guest     crash) by leveraging mishandling of the seccomp policy     for threads other than the main thread (bsc#1106222).

  - CVE-2018-16847: Fixed an OOB heap buffer r/w access     issue that was found in the NVM Express Controller     emulation in QEMU. It could occur in nvme_cmb_ops     routines in nvme device. A guest user/process could use     this flaw to crash the QEMU process resulting in DoS or     potentially run arbitrary code with privileges of the     QEMU process (bsc#1114529).

  - CVE-2018-17958: Fixed a Buffer Overflow in     rtl8139_do_receive in hw/net/rtl8139.c because an     incorrect integer data type is used (bsc#1111006).

  - CVE-2018-17962: Fixed a Buffer Overflow in pcnet_receive     in hw/net/pcnet.c because an incorrect integer data type     is used (bsc#1111010).

  - CVE-2018-17963: Fixed qemu_deliver_packet_iov in     net/net.c that accepts packet sizes greater than     INT_MAX, which allows attackers to cause a denial of     service or possibly have unspecified other impact.
    (bsc#1111013)

  - CVE-2018-18849: Fixed an out of bounds memory access     issue that was found in the LSI53C895A SCSI Host Bus     Adapter emulation while writing a message in     lsi_do_msgin. It could occur during migration if the     'msg_len' field has an invalid value. A user/process     could use this flaw to crash the Qemu process resulting     in DoS (bsc#1114422).

Non-security issues fixed :

  - Fix slowness in arm32 emulation (bsc#1112499).

  - In order to improve spectre mitigation for s390x, add a     new feature in the QEMU cpu model to provide the etoken     cpu feature for guests (bsc#1107489).

This update was imported from the SUSE:SLE-15:Update update project.

This update for qemu fixes the following issues :

Security issue fixed :

  - CVE-2018-16847: Fixed an out of bounds r/w buffer access     in cmb operations (bsc#1114529).

Non-security issue fixed :

  - Fixed serial console issue that triggered a qemu-kvm bug     (bsc#1108474).

This update was imported from the SUSE:SLE-15:Update update project.

- Fix cpu model crash on AMD hosts (bz #1640140)

  - CVE-2018-15746: seccomp blacklist is not applied to all     threads (bz #1618357)

  - Fix assertion in address_space_stw_le_cached (bz     #1644728)

  - CVE-2018-10839: ne2000: fix possible out of bound access     (bz #1636429)

  - CVE-2018-17958: rtl8139: fix possible out of bound     access (bz #1636729)

  - CVE-2018-17962: pcnet: fix possible buffer overflow (bz     #1636775)

  - CVE-2018-17963: net: ignore packet size greater than     INT_MAX (bz #1636782)

  - CVE-2018-18849: lsi53c895a: OOB msg buffer access leads     to DoS (bz #1644977)

  - CVE-2018-18954: ppc64: Out-of-bounds r/w stack access in     pnv_lpc_do_eccb (bz #1645442)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for qemu fixes the following issues :

Security issue fixed :

CVE-2018-16847: Fixed an out of bounds r/w buffer access in cmb operations (bsc#1114529).

Non-security issue fixed: Fixed serial console issue in SLES 12 SP2 that triggered a qemu-kvm bug (bsc#1108474).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for qemu fixes the following issues :

Security issues fixed :

CVE-2018-10839: Fixed NE2000 NIC emulation support that is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS (bsc#1110910).

CVE-2018-15746: Fixed qemu-seccomp.c that might allow local OS guest users to cause a denial of service (guest crash) by leveraging mishandling of the seccomp policy for threads other than the main thread (bsc#1106222).

CVE-2018-16847: Fixed an OOB heap buffer r/w access issue that was found in the NVM Express Controller emulation in QEMU. It could occur in nvme_cmb_ops routines in nvme device. A guest user/process could use this flaw to crash the QEMU process resulting in DoS or potentially run arbitrary code with privileges of the QEMU process (bsc#1114529).

CVE-2018-17958: Fixed a Buffer Overflow in rtl8139_do_receive in hw/net/rtl8139.c because an incorrect integer data type is used (bsc#1111006).

CVE-2018-17962: Fixed a Buffer Overflow in pcnet_receive in hw/net/pcnet.c because an incorrect integer data type is used (bsc#1111010).

CVE-2018-17963: Fixed qemu_deliver_packet_iov in net/net.c that accepts packet sizes greater than INT_MAX, which allows attackers to cause a denial of service or possibly have unspecified other impact.
(bsc#1111013)

CVE-2018-18849: Fixed an out of bounds memory access issue that was found in the LSI53C895A SCSI Host Bus Adapter emulation while writing a message in lsi_do_msgin. It could occur during migration if the 'msg_len' field has an invalid value. A user/process could use this flaw to crash the Qemu process resulting in DoS (bsc#1114422).

Non-security issues fixed: Fix slowness in arm32 emulation (bsc#1112499).

In order to improve spectre mitigation for s390x, add a new feature in the QEMU cpu model to provide the etoken cpu feature for guests (bsc#1107489).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for qemu fixes the following issues :

Security issues fixed :

CVE-2018-10839: Fixed NE2000 NIC emulation support that is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS (bsc#1110910).

CVE-2018-15746: Fixed qemu-seccomp.c that might allow local OS guest users to cause a denial of service (guest crash) by leveraging mishandling of the seccomp policy for threads other than the main thread (bsc#1106222).

CVE-2018-17958: Fixed a Buffer Overflow in rtl8139_do_receive in hw/net/rtl8139.c because an incorrect integer data type is used (bsc#1111006).

CVE-2018-17962: Fixed a Buffer Overflow in pcnet_receive in hw/net/pcnet.c because an incorrect integer data type is used (bsc#1111010).

CVE-2018-17963: Fixed qemu_deliver_packet_iov in net/net.c that accepts packet sizes greater than INT_MAX, which allows attackers to cause a denial of service or possibly have unspecified other impact.
(bsc#1111013)

CVE-2018-18849: Fixed an out of bounds memory access issue that was found in the LSI53C895A SCSI Host Bus Adapter emulation while writing a message in lsi_do_msgin. It could occur during migration if the 'msg_len' field has an invalid value. A user/process could use this flaw to crash the Qemu process resulting in DoS (bsc#1114422).

CVE-2018-16847: Fixed an out of bounds r/w buffer access in cmb operations (bsc#1114529).

Non-security issue fixed: Fixed a condition when retry logic does not have been executed in case of data transmit failure or connection hungup (bsc#1108474).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Daniel Shapira and Arash Tohidi discovered that QEMU incorrectly handled NE2000 device emulation. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2018-10839)

It was discovered that QEMU incorrectly handled the Slirp networking back-end. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2018-11806)

Fakhri Zulkifli discovered that the QEMU guest agent incorrectly handled certain QMP commands. An attacker could possibly use this issue to crash the QEMU guest agent, resulting in a denial of service.
(CVE-2018-12617)

Li Qiang discovered that QEMU incorrectly handled NVM Express Controller emulation. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. This issue only affected Ubuntu 18.04 LTS and Ubuntu 18.10. (CVE-2018-16847)

Daniel Shapira and Arash Tohidi discovered that QEMU incorrectly handled RTL8139 device emulation. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2018-17958)

Daniel Shapira and Arash Tohidi discovered that QEMU incorrectly handled PCNET device emulation. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.
(CVE-2018-17962)

Daniel Shapira discovered that QEMU incorrectly handled large packet sizes. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2018-17963)

It was discovered that QEMU incorrectly handled LSI53C895A device emulation. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2018-18849)

Moguofang discovered that QEMU incorrectly handled the IPowerNV LPC controller. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 18.04 LTS and Ubuntu 18.10. (CVE-2018-18954)

Zhibin Hu discovered that QEMU incorrectly handled the Plan 9 File System support. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.
(CVE-2018-19364).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
139983	EulerOS 2.0 SP8 : qemu (EulerOS-SA-2020-1880)	Nessus	Huawei Local Security Checks	high
123389	openSUSE Security Update : qemu (openSUSE-2019-961)	Nessus	SuSE Local Security Checks	critical
123149	openSUSE Security Update : qemu (openSUSE-2019-1005)	Nessus	SuSE Local Security Checks	high
120587	Fedora 29 : 2:qemu (2018-87f2ace20d)	Nessus	Fedora Local Security Checks	critical
120185	SUSE SLED15 / SLES15 Security Update : qemu (SUSE-SU-2018:4086-1)	Nessus	SuSE Local Security Checks	high
120171	SUSE SLED15 / SLES15 Security Update : qemu (SUSE-SU-2018:3927-1)	Nessus	SuSE Local Security Checks	critical
119763	SUSE SLED12 / SLES12 Security Update : qemu (SUSE-SU-2018:4185-1)	Nessus	SuSE Local Security Checks	critical
119710	openSUSE Security Update : qemu (openSUSE-2018-1551)	Nessus	SuSE Local Security Checks	high
119491	openSUSE Security Update : qemu (openSUSE-2018-1483)	Nessus	SuSE Local Security Checks	critical
119216	Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 18.10 : QEMU vulnerabilities (USN-3826-1)	Nessus	Ubuntu Local Security Checks	critical

CVE-2018-16847

high

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins

high

critical

high

critical

high

critical

critical

high

critical

critical