FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

qemu -- denial of service vulnerability in Rocker switch emulation

Affected packages
qemu < 2.5.50
qemu-devel < 2.5.50
qemu-sbruno < 2.5.50.g20160213
qemu-user-static < 2.5.50.g20160213


VuXML ID 1384f2fd-b1be-11e5-9728-002590263bf5
Discovery 2015-12-28
Entry 2016-01-03
Modified 2016-07-06

Prasad J Pandit, Red Hat Product Security Team, reports:

Qemu emulator built with the Rocker switch emulation support is vulnerable to an off-by-one error. It happens while processing transmit(tx) descriptors in 'tx_consume' routine, if a descriptor was to have more than allowed (ROCKER_TX_FRAGS_MAX=16) fragments.

A privileged user inside guest could use this flaw to cause memory leakage on the host or crash the Qemu process instance resulting in DoS issue.


CVE Name CVE-2015-8701
FreeBSD PR ports/205813
FreeBSD PR ports/205814