[v3.0] qemu: missing field list terminator in vmstate_xhci_event (CVE-2014-5263)
It was found that vmstate_xhci_event field list was missing VMSTATE_END_OF_LIST() terminator and traversing through this list would result in out-of-bounds access during vm state saving and loading.
Depending on how vmstate_xhci_event is placed in the qemu binary, this
issue can range from non-issue, infinite loop to (potentially) privilege
escalation in case the we end up with fields that have info
and/or field_exist members initialized in a way that is useful for
exploitation (most probably unlikely).
In the worst case, attacker able to alter the migration data could use this flaw to to corrupt QEMU process memory.
Affected: vmstate_xhci_event was introduced in qemu 1.6 branch. So only Alpine Linux v2.7 and v3.0 are vulnerable. The issue is fixed in v2.0.1.
References:
CONFIRM: http://seclists.org/oss-sec/2014/q3/382
CONFIRM: https://bugzilla.redhat.com/show\_bug.cgi?id=1126543
COMMIT:
http://git.qemu.org/?p=qemu.git;a=commit;h=3afca1d6d413592c2b78cf28f52fa24a586d8f56
(from redmine: issue id 3325, created on 2014-08-27, closed on 2014-10-23)
- Relations:
- parent #3323 (closed)