Bugzilla – Bug 959386
VUL-0: CVE-2015-8568 CVE-2015-8567: kvm,qemu: net: vmxnet3: host memory leakage
Last modified: 2016-07-25 11:24:18 UTC
via oss-sec From: P J P <ppandit@redhat.com> To: oss security list <oss-security@lists.openwall.com> cc: Qinghao Tang <luodalongde@gmail.com> Subject: [oss-security] CVE request Qemu: net: vmxnet3: host memory leakage Date: Tue, 15 Dec 2015 13:37:59 +0530 (IST) Hello, Qemu emulator built with a VMWARE VMXNET3 paravirtual NIC emulator support is vulnerable to a memory leakage flaw. It occurs when a guest repeatedly tries to activate the vmxnet3 device. A privileged guest user could use this flaw to leak host memory, resulting in DoS on the host. Upstream patch: --------------- -> https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg02299.html This issue was discovered by Qinghao Tang of QIHU 360 Marvel Team.
> Qemu emulator built with a VMWARE VMXNET3 paravirtual NIC emulator support is > vulnerable to a memory leakage flaw. It occurs when a guest repeatedly tries > to activate the vmxnet3 device. > > A privileged guest user could use this flaw to leak host memory, resulting in > DoS on the host. > > https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg02299.html >> Vmxnet3 device emulator does not check if the device is active >> before activating it, also it did not free the transmit & receive >> buffers while deactivating the device, thus resulting in memory >> leakage on the host. This patch fixes both these issues to avoid >> host memory leakage. This is not yet available at http://git.qemu.org/?p=qemu.git;a=history;f=hw/net/vmxnet3.c but that may be an expected place for a later update. "does not check if the device is active before activating it" seems to be similar to a CWE-372 ("Incomplete Internal State Distinction") issue. Use CVE-2015-8567 for this aspect of the report. "did not free the transmit & receive buffers while deactivating" seems to be similar to a CWE-772 ("Missing Release of Resource after Effective Lifetime") issue. Use CVE-2015-8568 for this aspect of the report. >> I've added a check in vmxnet3_deactivate_device() to avoid double free. We think this may mean that the double free existed only in an early version of the patch, and did not exist in any shipped QEMU code. There is no CVE ID for the double free.
bugbot adjusting priority
SUSE-SU-2016:1560-1: An update that solves 37 vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 886378,895528,901508,928393,934069,940929,944463,947159,958491,958917,959005,959386,960334,960708,960725,960835,961332,961333,961358,961556,961691,962320,963782,964413,967969,969121,969122,969350,970036,970037,975128,975136,975700,976109,978158,978160,980711,980723,981266 CVE References: CVE-2014-3615,CVE-2014-3689,CVE-2014-9718,CVE-2015-3214,CVE-2015-5239,CVE-2015-5745,CVE-2015-7295,CVE-2015-7549,CVE-2015-8504,CVE-2015-8558,CVE-2015-8567,CVE-2015-8568,CVE-2015-8613,CVE-2015-8619,CVE-2015-8743,CVE-2015-8744,CVE-2015-8745,CVE-2015-8817,CVE-2015-8818,CVE-2016-1568,CVE-2016-1714,CVE-2016-1922,CVE-2016-1981,CVE-2016-2198,CVE-2016-2538,CVE-2016-2841,CVE-2016-2857,CVE-2016-2858,CVE-2016-3710,CVE-2016-3712,CVE-2016-4001,CVE-2016-4002,CVE-2016-4020,CVE-2016-4037,CVE-2016-4439,CVE-2016-4441,CVE-2016-4952 Sources used: SUSE Linux Enterprise Server 12 (src): qemu-2.0.2-48.19.1 SUSE Linux Enterprise Desktop 12 (src): qemu-2.0.2-48.19.1
SUSE-SU-2016:1703-1: An update that solves 32 vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 886378,940929,958491,958917,959005,959386,960334,960708,960725,960835,961332,961333,961358,961556,961691,962320,963782,964411,964413,967969,969121,969122,969350,970036,970037,975128,975136,975700,976109,978158,978160,980711,980723,981266 CVE References: CVE-2015-5745,CVE-2015-7549,CVE-2015-8504,CVE-2015-8558,CVE-2015-8567,CVE-2015-8568,CVE-2015-8613,CVE-2015-8619,CVE-2015-8743,CVE-2015-8744,CVE-2015-8745,CVE-2015-8817,CVE-2015-8818,CVE-2016-1568,CVE-2016-1714,CVE-2016-1922,CVE-2016-1981,CVE-2016-2197,CVE-2016-2198,CVE-2016-2538,CVE-2016-2841,CVE-2016-2857,CVE-2016-2858,CVE-2016-3710,CVE-2016-3712,CVE-2016-4001,CVE-2016-4002,CVE-2016-4020,CVE-2016-4037,CVE-2016-4439,CVE-2016-4441,CVE-2016-4952 Sources used: SUSE Linux Enterprise Server 12-SP1 (src): qemu-2.3.1-14.1 SUSE Linux Enterprise Desktop 12-SP1 (src): qemu-2.3.1-14.1
openSUSE-SU-2016:1750-1: An update that solves 32 vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 886378,940929,958491,958917,959005,959386,960334,960708,960725,960835,961332,961333,961358,961556,961691,962320,963782,964411,964413,967969,969121,969122,969350,970036,970037,975128,975136,975700,976109,978158,978160,980711,980723,981266 CVE References: CVE-2015-5745,CVE-2015-7549,CVE-2015-8504,CVE-2015-8558,CVE-2015-8567,CVE-2015-8568,CVE-2015-8613,CVE-2015-8619,CVE-2015-8743,CVE-2015-8744,CVE-2015-8745,CVE-2015-8817,CVE-2015-8818,CVE-2016-1568,CVE-2016-1714,CVE-2016-1922,CVE-2016-1981,CVE-2016-2197,CVE-2016-2198,CVE-2016-2538,CVE-2016-2841,CVE-2016-2857,CVE-2016-2858,CVE-2016-3710,CVE-2016-3712,CVE-2016-4001,CVE-2016-4002,CVE-2016-4020,CVE-2016-4037,CVE-2016-4439,CVE-2016-4441,CVE-2016-4952 Sources used: openSUSE Leap 42.1 (src): qemu-2.3.1-15.1, qemu-linux-user-2.3.1-15.1, qemu-testsuite-2.3.1-15.2
fixed everywhere