Vigil@nce - QEMU: buffer overflow of virtio-serial-bus
October 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker in a guest system can generate a buffer overflow in
virtio-serial-bus.c of QEMU, in order to trigger a denial of
service, and possibly to run code.
– Impacted products: Debian, Fedora, QEMU, Ubuntu.
– Severity: 2/4.
– Creation date: 06/08/2015.
DESCRIPTION OF THE VULNERABILITY
The QEMU product emulates a serial bus in hw/char/virtio-serial-bus.c.
However, the send_control_msg() function performs a memcpy()
without checking the size of a control message.
An attacker in a guest system can therefore generate a buffer
overflow in virtio-serial-bus.c of QEMU, in order to trigger a
denial of service, and possibly to run code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/QEMU-buffer-overflow-of-virtio-serial-bus-17605