qemu: heap overflow flaw while processing certain ATAPI commands (CVE-2015-5154)
The QEMU security team has predisclosed the following advisory:
A heap overflow flaw was found in the way QEMU’s IDE subsystem
handled I/O buffer access while processing certain ATAPI commands.
A privileged guest user in a guest with CDROM drive enabled could
potentially use this flaw to execute arbitrary code on the host
with the privileges of the host’s QEMU process corresponding to
the guest.
IMPACT
An HVM guest which has access to an emulated IDE CDROM device
(e.g. with a device with “devtype=cdrom”, or the “cdrom” convenience
alias, in the VBD configuration) can exploit this vulnerability to
take over the qemu process elevating its privilege to that of the qemu
process.
VULNERABLE SYSTEMS
All Xen systems running x86 HVM guests without stubdomains which have
been configured with an emulated CD-ROM driver model are vulnerable.
Systems using qemu-dm stubdomain device models (for example, by
specifying “device_model_stubdomain_override=1” in xl’s domain
configuration files) are NOT vulnerable.
Both the traditional (“qemu-xen-traditional”) or upstream-based
(“qemu-xen”) qemu device models are potentially vulnerable.
Systems running only PV guests are NOT vulnerable.
ARM systems are NOT vulnerable.
(from redmine: issue id 4493, created on 2015-07-30, closed on 2015-08-05)
- Relations:
- child #4494 (closed)
- child #4495 (closed)
- child #4496 (closed)
- Changesets:
- Revision 2da90589 by Natanael Copa on 2015-07-31T06:57:57Z:
main/xen: security fixes (CVE-2015-3259,CVE-2015-5154)
ref #4493