Bug 864812 (CVE-2013-4148)

Summary: VUL-0: CVE-2013-4148: qemu: virtio-net: buffer overflow on invalid state load
Product: [Novell Products] SUSE Security Incidents Reporter: Victor Pereira <vpereira>
Component: IncidentsAssignee: Andreas Färber <afaerber>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: abergmann, jsegitz, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/96375/
Whiteboard: maint:running:57292:moderate maint:released:sle11-sp3:57584
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Victor Pereira 2014-02-20 09:07:01 UTC 
CVE-2013-4148

Michael S. Tsirkin writes:

QEMU 1.0 integer conversion in virtio_net_load()@hw/net/virtio-net.c

>         n->mac_table.in_use = qemu_get_be32(f);

in_use is int so it can get negative when assigned 32bit unsigned value.

>         /* MAC_TABLE_ENTRIES may be different from the saved image */
>         if (n->mac_table.in_use <= MAC_TABLE_ENTRIES) {

passing this check ^^^

>             qemu_get_buffer(f, n->mac_table.macs,
>                             n->mac_table.in_use * ETH_ALEN);

with good in_use value, "n->mac_table.in_use * ETH_ALEN" can get
positive and bigger than mac_table.macs. For example 0x81000000
satisfies this condition when ETH_ALEN is 6.

An user able to alter the savevm data (either on the disk or over the wire
during migration) could use this flaw to to corrupt QEMU process memory on
the (destination) host, which could potentially result in arbitrary code
execution on the host with the privileges of the QEMU process.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4148
https://bugzilla.redhat.com/show_bug.cgi?id=1066334
Comment 1 Swamp Workflow Management 2014-02-20 23:01:00 UTC 
bugbot adjusting priority
Comment 3 Bernhard Wiedemann 2014-05-24 13:01:47 UTC 
This is an autogenerated message for OBS integration:
This bug (864812) was mentioned in
https://build.opensuse.org/request/show/235281 Factory / qemu
Comment 4 Swamp Workflow Management 2014-06-18 13:49:20 UTC 
Update released for: kvm, kvm-debuginfo, kvm-debugsource
Products:
SLE-DESKTOP 11-SP3 (i386, x86_64)
SLE-SERVER 11-SP3 (i386, s390x, x86_64)
Comment 5 Swamp Workflow Management 2014-06-18 17:07:16 UTC 
SUSE-SU-2014:0816-1: An update that solves two vulnerabilities and has 20 fixes is now available.

Category: security (moderate)
Bug References: 864391,864649,864650,864653,864655,864665,864671,864673,864678,864682,864769,864796,864801,864802,864804,864805,864811,864812,864814,873235,874749,874788
CVE References: CVE-2014-0150,CVE-2014-2894
Sources used:
SUSE Linux Enterprise Server 11 SP3 (src):    kvm-1.4.2-0.15.2
SUSE Linux Enterprise Desktop 11 SP3 (src):    kvm-1.4.2-0.15.2
Comment 7 Johannes Segitz 2016-02-02 08:59:29 UTC 
fixed everywhere