Bug 864797 (CVE-2013-4532)

Summary: VUL-0: CVE-2013-4532: qemu: stellaris_enet: buffer overrun on incoming migration
Product: [Novell Products] SUSE Security Incidents Reporter: Victor Pereira <vpereira>
Component: IncidentsAssignee: Bruce Rogers <brogers>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: abergmann, brogers, jsegitz, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: openSUSE 13.1   
URL: https://smash.suse.de/issue/96373/
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Victor Pereira 2014-02-20 08:52:14 UTC

Three issues were found:
 * s->next_packet is read from wire as an index into s->rx[].
 * s->tx_fifo_len is read from the wire and later used as an index into
     s->tx_fifo[] when a DATA command is issued by the guest.
 * s->tx_frame_len is read from the wire and can later used as an index
     into s->tx_fifo[] for memset() when a DATA command is issued by the

An user able to alter the savevm data (either on the disk or over the wire
during migration) could use this flaw to to corrupt QEMU process memory on
the (destination) host, which could potentially result in arbitrary code
execution on the host with the privileges of the QEMU process.

Comment 1 Swamp Workflow Management 2014-02-20 23:00:21 UTC
bugbot adjusting priority