Bug 1083291 (CVE-2018-7550) - VUL-0: CVE-2018-7550 qemu, kvm: i386: multiboot OOB access while loading kernel image
Summary: VUL-0: CVE-2018-7550 qemu, kvm: i386: multiboot OOB access while loading ker...
Status: RESOLVED FIXED
Alias: CVE-2018-7550
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Major
Target Milestone: ---
Assignee: Liang Yan
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/200981/
Whiteboard: CVSSv2:RedHat:CVE-2018-7550:6.2:(AV:L...
Keywords:
Depends on:
Blocks:
 
Reported: 2018-02-28 12:49 UTC by Johannes Segitz
Modified: 2018-08-20 05:49 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2018-02-28 12:49:06 UTC
Quick Emulator(QEMU) built with the PC System Emulator with multiboot feature
support is vulnerable to an OOB r/w memory access issue. It could occur while
loading a kernel image during a guest boot if muliboot head addresses
mh_load_end_addr was greater than mh_bss_end_addr.

A user/process could use this flaw to potentially achieve arbitrary code
execution on a host.

Patch: https://lists.gnu.org/archive/html/qemu-devel/2018-02/msg06890.html

Please include this in the current round you're working on

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1549798
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-7550
Comment 1 Liang Yan 2018-03-16 16:33:03 UTC
Fix has been kept changing until yesterday, will keep tracking.

multiboot: check mh_load_end_addr address field

multiboot: bss_end_addr can be zero / c

to: multiboot: Check validity of mh_header_addr


https://lists.nongnu.org/archive/html/qemu-devel/2018-03/msg04423.html
Comment 2 Swamp Workflow Management 2018-03-21 20:08:59 UTC
SUSE-SU-2018:0762-1: An update that solves 8 vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1040202,1068032,1068613,1070144,1071228,1073489,1074572,1076114,1076775,1076813,1082276,1083291
CVE References: CVE-2017-15119,CVE-2017-15124,CVE-2017-16845,CVE-2017-17381,CVE-2017-18043,CVE-2017-5715,CVE-2018-5683,CVE-2018-7550
Sources used:
SUSE Linux Enterprise Server 12-SP3 (src):    qemu-2.9.1-6.12.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    qemu-2.9.1-6.12.1
SUSE CaaS Platform ALL (src):    qemu-2.9.1-6.12.1
Comment 3 Swamp Workflow Management 2018-03-22 23:08:47 UTC
openSUSE-SU-2018:0780-1: An update that solves 8 vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1040202,1068032,1068613,1070144,1071228,1073489,1074572,1076114,1076775,1076813,1082276,1083291
CVE References: CVE-2017-15119,CVE-2017-15124,CVE-2017-16845,CVE-2017-17381,CVE-2017-18043,CVE-2017-5715,CVE-2018-5683,CVE-2018-7550
Sources used:
openSUSE Leap 42.3 (src):    qemu-2.9.1-41.1, qemu-linux-user-2.9.1-41.1, qemu-testsuite-2.9.1-41.1
Comment 4 Swamp Workflow Management 2018-03-27 19:10:22 UTC
SUSE-SU-2018:0831-1: An update that solves 9 vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1040202,1068032,1068613,1070144,1071228,1073489,1076114,1076179,1076775,1076814,1082276,1083291,1085598
CVE References: CVE-2017-15119,CVE-2017-15124,CVE-2017-16845,CVE-2017-17381,CVE-2017-18030,CVE-2017-18043,CVE-2017-5715,CVE-2018-5683,CVE-2018-7550
Sources used:
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    qemu-2.6.2-41.37.1
SUSE Linux Enterprise Server 12-SP2 (src):    qemu-2.6.2-41.37.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    qemu-2.6.2-41.37.1
Comment 5 Swamp Workflow Management 2018-04-25 16:15:40 UTC
SUSE-SU-2018:1077-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1068032,1076114,1076179,1082276,1083291
CVE References: CVE-2017-18030,CVE-2017-5715,CVE-2018-5683,CVE-2018-7550
Sources used:
SUSE Linux Enterprise Server 11-SP4 (src):    kvm-1.4.2-60.9.1
Comment 6 Swamp Workflow Management 2018-05-16 19:10:42 UTC
SUSE-SU-2018:1308-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1068032,1076114,1076179,1082276,1083291
CVE References: CVE-2017-18030,CVE-2017-5715,CVE-2018-5683,CVE-2018-7550
Sources used:
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    kvm-1.4.2-53.17.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    kvm-1.4.2-53.17.1
Comment 7 Swamp Workflow Management 2018-08-16 07:13:28 UTC
SUSE-SU-2018:2340-1: An update that solves three vulnerabilities and has four fixes is now available.

Category: security (moderate)
Bug References: 1083291,1087082,1091695,1094725,1094898,1094913,1096223
CVE References: CVE-2018-11806,CVE-2018-3639,CVE-2018-7550
Sources used:
SUSE Linux Enterprise Module for Server Applications 15 (src):    qemu-2.11.2-9.4.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    qemu-2.11.2-9.4.1
Comment 8 Swamp Workflow Management 2018-08-17 10:15:31 UTC
openSUSE-SU-2018:2402-1: An update that solves three vulnerabilities and has four fixes is now available.

Category: security (moderate)
Bug References: 1083291,1087082,1091695,1094725,1094898,1094913,1096223
CVE References: CVE-2018-11806,CVE-2018-3639,CVE-2018-7550
Sources used:
openSUSE Leap 15.0 (src):    qemu-2.11.2-lp150.7.6.1, qemu-linux-user-2.11.2-lp150.7.6.1, qemu-testsuite-2.11.2-lp150.7.6.1
Comment 9 Marcus Meissner 2018-08-20 05:49:56 UTC
released