Bug 864653 - (CVE-2013-4151) VUL-0: CVE-2013-4151: qemu: virtio: out-of-bounds buffer write on invalid state load
VUL-0: CVE-2013-4151: qemu: virtio: out-of-bounds buffer write on invalid sta...
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Andreas Färber
Security Team bot
maint:running:57292:moderate maint:re...
Depends on:
  Show dependency treegraph
Reported: 2014-02-19 15:26 UTC by Victor Pereira
Modified: 2016-04-27 18:53 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2014-02-19 15:26:17 UTC

Michael S. Tsirkin writes:

QEMU 1.0 out-of-bounds buffer write in virtio_load@virtio/virtio.c

So we have this code since way back when:

    num = qemu_get_be32(f);

    for (i = 0; i < num; i++) {
        vdev->vq[i].vring.num = qemu_get_be32(f);

array of vqs has size VIRTIO_PCI_QUEUE_MAX, so
on invalid input this will write beyond end of buffer.

An user able to alter the savevm data (either on the disk or over the wire
during migration) could use this flaw to to corrupt QEMU process memory on
the (destination) host, which could potentially result in arbitrary code
execution on the host with the privileges of the QEMU process.

Comment 1 Swamp Workflow Management 2014-02-19 23:00:52 UTC
bugbot adjusting priority
Comment 3 Bernhard Wiedemann 2014-05-24 13:00:31 UTC
This is an autogenerated message for OBS integration:
This bug (864653) was mentioned in
https://build.opensuse.org/request/show/235281 Factory / qemu
Comment 4 Swamp Workflow Management 2014-06-18 13:48:46 UTC
Update released for: kvm, kvm-debuginfo, kvm-debugsource
SLE-DESKTOP 11-SP3 (i386, x86_64)
SLE-SERVER 11-SP3 (i386, s390x, x86_64)
Comment 5 Swamp Workflow Management 2014-06-18 17:04:53 UTC
SUSE-SU-2014:0816-1: An update that solves two vulnerabilities and has 20 fixes is now available.

Category: security (moderate)
Bug References: 864391,864649,864650,864653,864655,864665,864671,864673,864678,864682,864769,864796,864801,864802,864804,864805,864811,864812,864814,873235,874749,874788
CVE References: CVE-2014-0150,CVE-2014-2894
Sources used:
SUSE Linux Enterprise Server 11 SP3 (src):    kvm-1.4.2-0.15.2
SUSE Linux Enterprise Desktop 11 SP3 (src):    kvm-1.4.2-0.15.2
Comment 7 Johannes Segitz 2016-02-02 14:36:25 UTC
fixed everyhwere