qemu -- denial of service vulnerability in Rocker switch emulation

2015-12-28T00:00:00
ID 1384F2FD-B1BE-11E5-9728-002590263BF5
Type freebsd
Reporter FreeBSD
Modified 2016-07-06T00:00:00

Description

Prasad J Pandit, Red Hat Product Security Team, reports:

Qemu emulator built with the Rocker switch emulation support is vulnerable to an off-by-one error. It happens while processing transmit(tx) descriptors in 'tx_consume' routine, if a descriptor was to have more than allowed (ROCKER_TX_FRAGS_MAX=16) fragments.

A privileged user inside guest could use this flaw to cause memory leakage on the host or crash the Qemu process instance resulting in DoS issue.