105866

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16847

https://lists.gnu.org/archive/html/qemu-devel/2018-11/msg00200.html

USN-3826-1

[oss-security] 20181102 CVE-2018-16847 QEMU: nvme: Out-of-bounds r/w buffer access in cmb operations

This update for qemu fixes the following issues :

Security issues fixed :

  - CVE-2018-10839: Fixed NE2000 NIC emulation support that     is vulnerable to an integer overflow, which could lead     to buffer overflow issue. It could occur when receiving     packets over the network. A user inside guest could use     this flaw to crash the Qemu process resulting in DoS     (bsc#1110910).

  - CVE-2018-15746: Fixed qemu-seccomp.c that might allow     local OS guest users to cause a denial of service (guest     crash) by leveraging mishandling of the seccomp policy     for threads other than the main thread (bsc#1106222).

  - CVE-2018-16847: Fixed an OOB heap buffer r/w access     issue that was found in the NVM Express Controller     emulation in QEMU. It could occur in nvme_cmb_ops     routines in nvme device. A guest user/process could use     this flaw to crash the QEMU process resulting in DoS or     potentially run arbitrary code with privileges of the     QEMU process (bsc#1114529).

  - CVE-2018-17958: Fixed a Buffer Overflow in     rtl8139_do_receive in hw/net/rtl8139.c because an     incorrect integer data type is used (bsc#1111006).

  - CVE-2018-17962: Fixed a Buffer Overflow in pcnet_receive     in hw/net/pcnet.c because an incorrect integer data type     is used (bsc#1111010).

  - CVE-2018-17963: Fixed qemu_deliver_packet_iov in     net/net.c that accepts packet sizes greater than     INT_MAX, which allows attackers to cause a denial of     service or possibly have unspecified other impact.
    (bsc#1111013)

  - CVE-2018-18849: Fixed an out of bounds memory access     issue that was found in the LSI53C895A SCSI Host Bus     Adapter emulation while writing a message in     lsi_do_msgin. It could occur during migration if the     'msg_len' field has an invalid value. A user/process     could use this flaw to crash the Qemu process resulting     in DoS (bsc#1114422).

Non-security issues fixed :

  - Fix slowness in arm32 emulation (bsc#1112499).

  - In order to improve spectre mitigation for s390x, add a     new feature in the QEMU cpu model to provide the etoken     cpu feature for guests (bsc#1107489).

This update was imported from the SUSE:SLE-15:Update update project.

This update for qemu fixes the following issues :

Security issue fixed :

  - CVE-2018-16847: Fixed an out of bounds r/w buffer access     in cmb operations (bsc#1114529).

Non-security issue fixed :

  - Fixed serial console issue that triggered a qemu-kvm bug     (bsc#1108474).

This update was imported from the SUSE:SLE-15:Update update project.

- Fix cpu model crash on AMD hosts (bz #1640140)

  - CVE-2018-15746: seccomp blacklist is not applied to all     threads (bz #1618357)

  - Fix assertion in address_space_stw_le_cached (bz     #1644728)

  - CVE-2018-10839: ne2000: fix possible out of bound access     (bz #1636429)

  - CVE-2018-17958: rtl8139: fix possible out of bound     access (bz #1636729)

  - CVE-2018-17962: pcnet: fix possible buffer overflow (bz     #1636775)

  - CVE-2018-17963: net: ignore packet size greater than     INT_MAX (bz #1636782)

  - CVE-2018-18849: lsi53c895a: OOB msg buffer access leads     to DoS (bz #1644977)

  - CVE-2018-18954: ppc64: Out-of-bounds r/w stack access in     pnv_lpc_do_eccb (bz #1645442)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for qemu fixes the following issues :

Security issue fixed :

CVE-2018-16847: Fixed an out of bounds r/w buffer access in cmb operations (bsc#1114529).

Non-security issue fixed: Fixed serial console issue in SLES 12 SP2 that triggered a qemu-kvm bug (bsc#1108474).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for qemu fixes the following issues :

Security issues fixed :

CVE-2018-10839: Fixed NE2000 NIC emulation support that is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS (bsc#1110910).

CVE-2018-15746: Fixed qemu-seccomp.c that might allow local OS guest users to cause a denial of service (guest crash) by leveraging mishandling of the seccomp policy for threads other than the main thread (bsc#1106222).

CVE-2018-16847: Fixed an OOB heap buffer r/w access issue that was found in the NVM Express Controller emulation in QEMU. It could occur in nvme_cmb_ops routines in nvme device. A guest user/process could use this flaw to crash the QEMU process resulting in DoS or potentially run arbitrary code with privileges of the QEMU process (bsc#1114529).

CVE-2018-17958: Fixed a Buffer Overflow in rtl8139_do_receive in hw/net/rtl8139.c because an incorrect integer data type is used (bsc#1111006).

CVE-2018-17962: Fixed a Buffer Overflow in pcnet_receive in hw/net/pcnet.c because an incorrect integer data type is used (bsc#1111010).

CVE-2018-17963: Fixed qemu_deliver_packet_iov in net/net.c that accepts packet sizes greater than INT_MAX, which allows attackers to cause a denial of service or possibly have unspecified other impact.
(bsc#1111013)

CVE-2018-18849: Fixed an out of bounds memory access issue that was found in the LSI53C895A SCSI Host Bus Adapter emulation while writing a message in lsi_do_msgin. It could occur during migration if the 'msg_len' field has an invalid value. A user/process could use this flaw to crash the Qemu process resulting in DoS (bsc#1114422).

Non-security issues fixed: Fix slowness in arm32 emulation (bsc#1112499).

In order to improve spectre mitigation for s390x, add a new feature in the QEMU cpu model to provide the etoken cpu feature for guests (bsc#1107489).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for qemu fixes the following issues :

Security issues fixed :

CVE-2018-10839: Fixed NE2000 NIC emulation support that is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS (bsc#1110910).

CVE-2018-15746: Fixed qemu-seccomp.c that might allow local OS guest users to cause a denial of service (guest crash) by leveraging mishandling of the seccomp policy for threads other than the main thread (bsc#1106222).

CVE-2018-17958: Fixed a Buffer Overflow in rtl8139_do_receive in hw/net/rtl8139.c because an incorrect integer data type is used (bsc#1111006).

CVE-2018-17962: Fixed a Buffer Overflow in pcnet_receive in hw/net/pcnet.c because an incorrect integer data type is used (bsc#1111010).

CVE-2018-17963: Fixed qemu_deliver_packet_iov in net/net.c that accepts packet sizes greater than INT_MAX, which allows attackers to cause a denial of service or possibly have unspecified other impact.
(bsc#1111013)

CVE-2018-18849: Fixed an out of bounds memory access issue that was found in the LSI53C895A SCSI Host Bus Adapter emulation while writing a message in lsi_do_msgin. It could occur during migration if the 'msg_len' field has an invalid value. A user/process could use this flaw to crash the Qemu process resulting in DoS (bsc#1114422).

CVE-2018-16847: Fixed an out of bounds r/w buffer access in cmb operations (bsc#1114529).

Non-security issue fixed: Fixed a condition when retry logic does not have been executed in case of data transmit failure or connection hungup (bsc#1108474).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Daniel Shapira and Arash Tohidi discovered that QEMU incorrectly handled NE2000 device emulation. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2018-10839)

It was discovered that QEMU incorrectly handled the Slirp networking back-end. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2018-11806)

Fakhri Zulkifli discovered that the QEMU guest agent incorrectly handled certain QMP commands. An attacker could possibly use this issue to crash the QEMU guest agent, resulting in a denial of service.
(CVE-2018-12617)

Li Qiang discovered that QEMU incorrectly handled NVM Express Controller emulation. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. This issue only affected Ubuntu 18.04 LTS and Ubuntu 18.10. (CVE-2018-16847)

Daniel Shapira and Arash Tohidi discovered that QEMU incorrectly handled RTL8139 device emulation. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2018-17958)

Daniel Shapira and Arash Tohidi discovered that QEMU incorrectly handled PCNET device emulation. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.
(CVE-2018-17962)

Daniel Shapira discovered that QEMU incorrectly handled large packet sizes. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2018-17963)

It was discovered that QEMU incorrectly handled LSI53C895A device emulation. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2018-18849)

Moguofang discovered that QEMU incorrectly handled the IPowerNV LPC controller. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 18.04 LTS and Ubuntu 18.10. (CVE-2018-18954)

Zhibin Hu discovered that QEMU incorrectly handled the Plan 9 File System support. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.
(CVE-2018-19364).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
123389	openSUSE Security Update : qemu (openSUSE-2019-961)	Nessus	SuSE Local Security Checks	high
123149	openSUSE Security Update : qemu (openSUSE-2019-1005)	Nessus	SuSE Local Security Checks	medium
120587	Fedora 29 : 2:qemu (2018-87f2ace20d)	Nessus	Fedora Local Security Checks	high
120185	SUSE SLED15 / SLES15 Security Update : qemu (SUSE-SU-2018:4086-1)	Nessus	SuSE Local Security Checks	medium
120171	SUSE SLED15 / SLES15 Security Update : qemu (SUSE-SU-2018:3927-1)	Nessus	SuSE Local Security Checks	high
119763	SUSE SLED12 / SLES12 Security Update : qemu (SUSE-SU-2018:4185-1)	Nessus	SuSE Local Security Checks	high
119710	openSUSE Security Update : qemu (openSUSE-2018-1551)	Nessus	SuSE Local Security Checks	medium
119491	openSUSE Security Update : qemu (openSUSE-2018-1483)	Nessus	SuSE Local Security Checks	high
119216	Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 18.10 : qemu vulnerabilities (USN-3826-1)	Nessus	Ubuntu Local Security Checks	high

CVE-2018-16847

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins