The vmsvga_fifo_read_raw function in hw/display/vmware_vga.c in QEMU allows local guest OS administrators to obtain sensitive host memory information or cause a denial of service (QEMU process crash) by changing FIFO registers and issuing a VGA command, which triggers an out-of-bounds read.
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
| Link | Tags |
|---|---|
| http://www.ubuntu.com/usn/USN-3047-1 | third party advisory vendor advisory |
| http://www.openwall.com/lists/oss-security/2016/05/30/3 | third party advisory mailing list |
| https://security.gentoo.org/glsa/201609-01 | third party advisory vendor advisory |
| http://www.ubuntu.com/usn/USN-3047-2 | third party advisory vendor advisory |
| https://lists.gnu.org/archive/html/qemu-devel/2016-05/msg05271.html | mailing list patch vendor advisory |
| http://www.securityfocus.com/bid/90927 | vdb entry third party advisory |
| https://bugzilla.redhat.com/show_bug.cgi?id=1336429 | issue tracking third party advisory |
| https://lists.debian.org/debian-lts-announce/2018/11/msg00038.html | third party advisory mailing list |