FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

qemu -- denial of service vulnerability in Rocker switch emulation

Affected packages
qemu < 2.5.50
qemu-devel < 2.5.50
qemu-sbruno < 2.5.50.g20160213
qemu-user-static < 2.5.50.g20160213

Details

VuXML ID 1384f2fd-b1be-11e5-9728-002590263bf5
Discovery 2015-12-28
Entry 2016-01-03
Modified 2016-07-06

Prasad J Pandit, Red Hat Product Security Team, reports:

Qemu emulator built with the Rocker switch emulation support is vulnerable to an off-by-one error. It happens while processing transmit(tx) descriptors in 'tx_consume' routine, if a descriptor was to have more than allowed (ROCKER_TX_FRAGS_MAX=16) fragments.

A privileged user inside guest could use this flaw to cause memory leakage on the host or crash the Qemu process instance resulting in DoS issue.

References

CVE Name CVE-2015-8701
FreeBSD PR ports/205813
FreeBSD PR ports/205814
URL http://git.qemu.org/?p=qemu.git;a=commit;h=007cd223de527b5f41278f2d886c1a4beb3e67aa
URL http://www.openwall.com/lists/oss-security/2015/12/28/6
URL https://github.com/seanbruno/qemu-bsd-user/commit/007cd223de527b5f41278f2d886c1a4beb3e67aa
URL https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg04629.html