Vigil@nce - QEMU: buffer overflow of Rocker tx_consume
January 2016 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker, who is administrator in a guest system, can generate
a buffer overflow in Rocker tx_consume() of QEMU, in order to
trigger a denial of service, and possibly to run code on the host
system.
– Impacted products: QEMU.
– Severity: 1/4.
– Creation date: 29/12/2015.
DESCRIPTION OF THE VULNERABILITY
The QEMU product implements the support of Rocker switches.
However, if the number of fragments is larger than
ROCKER_TX_FRAGS_MAX, an overflow of one byte occurs in the
tx_consume() function of the hw/net/rocker/rocker.c file.
An attacker, who is administrator in a guest system, can therefore
generate a buffer overflow in Rocker tx_consume() of QEMU, in
order to trigger a denial of service, and possibly to run code on
the host system.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/QEMU-buffer-overflow-of-Rocker-tx-consume-18603