Vigil@nce - QEMU: memory corruption via ESP/NCR53C9x
August 2016 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can generate a memory corruption via ESP/NCR53C9x of
QEMU, in order to trigger a denial of service, and possibly to run
code.
Impacted products: Fedora, QEMU.
Severity: 2/4.
Creation date: 02/06/2016.
DESCRIPTION OF THE VULNERABILITY
The QEMU product can be compiled with the support of ESP/NCR53C9x.
However, if a command uses a ti_size field too large, an overflow
occurs in the get_cmd() function of the hw/scsi/esp.c file.
An attacker can therefore generate a memory corruption via
ESP/NCR53C9x of QEMU, in order to trigger a denial of service, and
possibly to run code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
https://vigilance.fr/vulnerability/QEMU-memory-corruption-via-ESP-NCR53C9x-19762