Bugzilla – Bug 1022541
VUL-0: CVE-2017-5667: kvm: qemu: sd: sdhci OOB access during multi block SDMA transfer
Last modified: 2017-06-08 11:12:55 UTC
Ref: http://seclists.org/oss-sec/2017/q1/231 ============================================= Hello, Quick emulator(Qemu) built with the SDHCI device emulation support is vulnerable to an OOB heap access issue. It could occur while doing a multi block SDMA transfer via 'sdhci_sdma_transfer_multi_blocks' routine. A privileged user inside guest could use this flaw to crash the Qemu process resulting in DoS or potentially execute arbitrary code with privileges of the Qemu process on the host. Upstream patch: --------------- -> https://lists.gnu.org/archive/html/qemu-devel/2017-01/msg06191.html Reference: ---------- -> https://bugzilla.redhat.com/show_bug.cgi?id=1417559 This issue was reported by Jiang Xin of Huawei PSIR team. Thank you. -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F =============================================
bugbot adjusting priority
Ref: http://seclists.org/oss-sec/2017/q1/243 ============================================== Use CVE-2017-5667. This is not yet available at http://git.qemu.org/?p=qemu.git;a=history;f=hw/sd/sdhci.c but that may be an expected place for a later update. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] ==============================================
Acknowlegments: Jiang Xin (Huawei PSIRT) Increasing severity of this bug. This is a rather sensitive issue, as it allows somewhat attacker controlled heap writes.
http://seclists.org/oss-sec/2017/q1/412 ============================================ This commit appears to address CVE-2017-5667: http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=42922105beb14c2fc58185ea022b9f72fb5465e9 ============================================
SUSE-SU-2017:0625-1: An update that solves 15 vulnerabilities and has four fixes is now available. Category: security (important) Bug References: 1014702,1015169,1016779,1017081,1017084,1020491,1020589,1020928,1021129,1021195,1021481,1022541,1023004,1023053,1023073,1023907,1024972,1026583,977027 CVE References: CVE-2016-10028,CVE-2016-10029,CVE-2016-10155,CVE-2016-9921,CVE-2016-9922,CVE-2017-2615,CVE-2017-2620,CVE-2017-5525,CVE-2017-5526,CVE-2017-5552,CVE-2017-5578,CVE-2017-5667,CVE-2017-5856,CVE-2017-5857,CVE-2017-5898 Sources used: SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): qemu-2.6.2-41.9.1 SUSE Linux Enterprise Server 12-SP2 (src): qemu-2.6.2-41.9.1 SUSE Linux Enterprise Desktop 12-SP2 (src): qemu-2.6.2-41.9.1
Fixed.
SUSE-SU-2017:0661-1: An update that solves 11 vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 1013285,1014109,1014111,1014702,1015048,1015169,1016779,1021129,1022541,1023004,1023053,1023907,1024972 CVE References: CVE-2016-10155,CVE-2016-9776,CVE-2016-9907,CVE-2016-9911,CVE-2016-9921,CVE-2016-9922,CVE-2017-2615,CVE-2017-2620,CVE-2017-5667,CVE-2017-5856,CVE-2017-5898 Sources used: SUSE Linux Enterprise Server for SAP 12 (src): qemu-2.0.2-48.31.1 SUSE Linux Enterprise Server 12-LTSS (src): qemu-2.0.2-48.31.1
openSUSE-SU-2017:0707-1: An update that solves 15 vulnerabilities and has four fixes is now available. Category: security (important) Bug References: 1014702,1015169,1016779,1017081,1017084,1020491,1020589,1020928,1021129,1021195,1021481,1022541,1023004,1023053,1023073,1023907,1024972,1026583,977027 CVE References: CVE-2016-10028,CVE-2016-10029,CVE-2016-10155,CVE-2016-9921,CVE-2016-9922,CVE-2017-2615,CVE-2017-2620,CVE-2017-5525,CVE-2017-5526,CVE-2017-5552,CVE-2017-5578,CVE-2017-5667,CVE-2017-5856,CVE-2017-5857,CVE-2017-5898 Sources used: openSUSE Leap 42.2 (src): qemu-2.6.2-29.4, qemu-linux-user-2.6.2-29.1, qemu-testsuite-2.6.2-29.8
SUSE-SU-2017:1241-1: An update that solves 13 vulnerabilities and has four fixes is now available. Category: security (important) Bug References: 1013285,1014109,1014111,1014702,1015048,1015169,1016779,1020491,1020589,1020928,1021129,1022541,1023004,1023053,1023907,1024972,937125 CVE References: CVE-2016-10155,CVE-2016-9776,CVE-2016-9907,CVE-2016-9911,CVE-2016-9921,CVE-2016-9922,CVE-2017-2615,CVE-2017-2620,CVE-2017-5525,CVE-2017-5526,CVE-2017-5667,CVE-2017-5856,CVE-2017-5898 Sources used: SUSE Linux Enterprise Server 12-SP1 (src): qemu-2.3.1-32.11 SUSE Linux Enterprise Desktop 12-SP1 (src): qemu-2.3.1-32.11
openSUSE-SU-2017:1312-1: An update that solves 13 vulnerabilities and has four fixes is now available. Category: security (important) Bug References: 1013285,1014109,1014111,1014702,1015048,1015169,1016779,1020491,1020589,1020928,1021129,1022541,1023004,1023053,1023907,1024972,937125 CVE References: CVE-2016-10155,CVE-2016-9776,CVE-2016-9907,CVE-2016-9911,CVE-2016-9921,CVE-2016-9922,CVE-2017-2615,CVE-2017-2620,CVE-2017-5525,CVE-2017-5526,CVE-2017-5667,CVE-2017-5856,CVE-2017-5898 Sources used: openSUSE Leap 42.1 (src): qemu-2.3.1-25.1, qemu-linux-user-2.3.1-25.1, qemu-testsuite-2.3.1-25.1