Vigil@nce - QEMU: buffer overflow of hmp_sendkey
February 2016 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker in a guest system can generate a buffer overflow in
hmp_sendkey() of QEMU, in order to trigger a denial of service,
and possibly to run code on the host system.
Impacted products: Debian, Fedora, QEMU, Ubuntu.
Severity: 2/4.
Creation date: 28/12/2015.
DESCRIPTION OF THE VULNERABILITY
The QEMU product implements HMP (Human Monitor Interface).
However, if the size of data in the "sendkey" command is greater
than the size of the storage array, an overflow occurs in the
hmp_sendkey() function.
An attacker in a guest system can therefore generate a buffer
overflow in hmp_sendkey() of QEMU, in order to trigger a denial of
service, and possibly to run code on the host system.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
https://vigilance.fr/vulnerability/QEMU-buffer-overflow-of-hmp-sendkey-18591