[Secure-testing-team] Bug#813194: CVE-2016-2197: ide: ahci null pointer dereference when using FIS CLB engines
Michael Tokarev
mjt at tls.msk.ru
Sat Jan 30 11:27:20 UTC 2016
Source: qemu
Version: 1:2.3+dfsg-1
Severity: important
Tags: security upstream patch
CVE-2016-2197 has been assigned to the following flaw
http://www.openwall.com/lists/oss-security/2016/01/29/2 :
---
Qemu emulator built with an IDE AHCI emulation support is vulnerable to a null
pointer dereference flaw. It occurs while unmapping the Frame Information
Structure(FIS) & Command List Block(CLB) entries.
A privileged user inside guest could use this flaw to crash the Qemu process
instance resulting in DoS.
Upstream patch:
---------------
-> https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg05742.html
Reference:
----------
-> https://bugzilla.redhat.com/show_bug.cgi?id=1302057
This issue was discovered by Mr Zuozhi Fzz of Alibaba Inc.
---
Apparently introduced in the following commit:
commit fc3d8e1138cd0c843d6fd75272633a31be6554ef
Author: John Snow <jsnow at redhat.com>
Date: Fri Mar 27 15:48:11 2015 -0400
AHCI: Protect cmd register
Many bits in the CMD register are supposed to be strictly read-only.
We should not be deleting them on every write.
As a side-effect: pay explicit attention to when a guest marks off
the FIS Receive or Start bits, and disable the status bits ourselves,
instead of letting them implicitly fall off.
(which is in 2.3 version).
More information about the Secure-testing-team
mailing list