The virtqueue_map_desc function in hw/virtio/virtio.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) via a large I/O descriptor buffer length value.
The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.
| Link | Tags |
|---|---|
| http://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=973e7170dddefb491a48df5cba33b2ae151013a0 | |
| https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg03546.html | mailing list third party advisory patch |
| https://access.redhat.com/errata/RHSA-2017:2392 | third party advisory vendor advisory |
| http://lists.opensuse.org/opensuse-updates/2016-12/msg00140.html | mailing list third party advisory vendor advisory |
| https://security.gentoo.org/glsa/201609-01 | third party advisory vendor advisory |
| http://www.securityfocus.com/bid/92996 | vdb entry third party advisory |
| http://www.openwall.com/lists/oss-security/2016/09/16/10 | third party advisory mailing list |
| http://www.openwall.com/lists/oss-security/2016/09/16/4 | third party advisory mailing list |
| https://access.redhat.com/errata/RHSA-2017:2408 | third party advisory vendor advisory |