[v3.1] qemu: heap overflow flaw while processing certain ATAPI commands (CVE-2015-5154)
The QEMU security team has predisclosed the following advisory:
A heap overflow flaw was found in the way QEMU’s IDE subsystem
handled I/O buffer access while processing certain ATAPI commands.
A privileged guest user in a guest with CDROM drive enabled could
potentially use this flaw to execute arbitrary code on the host
with the privileges of the host’s QEMU process corresponding to
the guest.
IMPACT ==
An HVM guest which has access to an emulated IDE CDROM device
(e.g. with a device with “devtype=cdrom”, or the “cdrom” convenience
alias, in the VBD configuration) can exploit this vulnerability to
take over the qemu process elevating its privilege to that of the qemu
process.
VULNERABLE SYSTEMS ==
All Xen systems running x86 HVM guests without stubdomains which have
been configured with an emulated CD-ROM driver model are vulnerable.
Systems using qemu-dm stubdomain device models (for example, by
specifying “device_model_stubdomain_override=1” in xl’s domain
configuration files) are NOT vulnerable.
Both the traditional (“qemu-xen-traditional”) or upstream-based
(“qemu-xen”) qemu device models are potentially vulnerable.
Systems running only PV guests are NOT vulnerable.
ARM systems are NOT vulnerable.
Reference:
http://seclists.org/oss-sec/2015/q3/212
(from redmine: issue id 4495, created on 2015-07-30, closed on 2015-08-05)
- Relations:
- parent #4493 (closed)
- Changesets:
- Revision 940bb1d7 by Natanael Copa on 2015-08-05T10:04:27Z:
main/qemu: security fix for CVE-2015-5154
fixes #4495