[v3.1] qemu: malicious PRDT flow from guest to host (CVE-2014-9718)
The BMDMA and AHCI HBA interfaces in the IDE functionality in QEMU 1.0 through 2.1.3 have multiple interpretations of a function’s return value, which allows guest OS users to cause a host OS denial of service (memory consumption or infinite loop, and system crash) via a PRDT with zero complete sectors, related to the bmdma_prepare_buf and ahci_dma_prepare_buf functions.
References:
http://seclists.org/oss-sec/2015/q2/231
CONFIRM:
http://git.qemu.org/?p=qemu.git;a=commit;h=3251bdcf1c67427d964517053c3d185b46e618e8
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9718
(from redmine: issue id 4206, created on 2015-05-18, closed on 2015-08-05)
- Relations:
- parent #4202 (closed)
- Changesets:
- Revision 00ade249 by Natanael Copa on 2015-05-20T08:32:37Z:
main/qemu: upgrade to 2.1.3 and fix CVE-2014-9718
fixes #4206