Vigil@nce - QEMU: buffer overflow of scsi_disk_emulate_command
September 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A privileged attacker located in a QEMU guest system can use a
malicious SCSI command, in order to stop the host service.
Severity: 1/4
Creation date: 12/09/2011
IMPACTED PRODUCTS
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The QEMU virtualization environment can emulate a SCSI device
(hard drive, etc.).
The scsi_disk_emulate_command() function of the hw/scsi-disk.c
file emulates commands of the virtual SCSI controller:
– TEST UNIT READY : check if the device is ready
– READ CAPACITY : read the disk size
– etc.
This function uses memset() to initialize the storage area for
READ CAPACITY. However, the size of this area comes from the
user’s query. An attacker can thus replace the content of a memory
area by zeros.
A privileged attacker located in a QEMU guest system can therefore
use a malicious SCSI command, in order to stop the host service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/QEMU-buffer-overflow-of-scsi-disk-emulate-command-10981