Bugzilla – Bug 956829
VUL-0: CVE-2015-8345: qemu: net: eepro100: infinite loop in processing command block list
Last modified: 2016-10-19 12:29:12 UTC
rh#1285213 Qemu emulator built with the i8255x (PRO100) emulation support is vulnerable to an infinite loop issue. It could occur while processing a chain of commands located in the Command Block List(CBL). Each Command Block(CB) points to the next command in the list. An infinite loop unfolds if the link to the next CB points to the same block or there is a closed loop in the chain. A privileged(CAP_SYS_RAWIO) user inside guest could use this flaw to crash the Qemu instance resulting in DoS. Upstream patch: https://lists.gnu.org/archive/html/qemu-devel/2015-10/msg03911.html === From f06497dfefabbdd6f966a5d6c177d85cd0e5ecd8 Mon Sep 17 00:00:00 2001 From: Prasad J Pandit <address@hidden> Date: Fri, 16 Oct 2015 11:33:27 +0530 Subject: eepro100: prevent an infinite loop over same command block action_command() routine executes a chain of commands located in the Command Block List(CBL). Each Command Block(CB) has a link to the next CB in the list, given by 's->tx.link'. This is used in conjunction with the base address 's->cu_base'. An infinite loop unfolds if the 'link' to the next CB is same as the previous one, the loop ends up executing the same command over and over again. Reported-by: Qinghao Tang <address@hidden> Signed-off-by: Prasad J Pandit <address@hidden> --- hw/net/eepro100.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hw/net/eepro100.c b/hw/net/eepro100.c index 60333b7..d76d108 100644 --- a/hw/net/eepro100.c +++ b/hw/net/eepro100.c @@ -863,6 +863,8 @@ static void action_command(EEPRO100State *s) uint16_t ok_status = STATUS_OK; s->cb_address = s->cu_base + s->cu_offset; read_cb(s); + if (s->tx.link == s->cu_offset) + break; bit_el = ((s->tx.command & COMMAND_EL) != 0); bit_s = ((s->tx.command & COMMAND_S) != 0); bit_i = ((s->tx.command & COMMAND_I) != 0); -- 2.4.3 === References: http://www.openwall.com/lists/oss-security/2015/11/25/11 https://bugzilla.redhat.com/show_bug.cgi?id=1285213 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8345
bsc#956832 was opened for the internal qemu copy inside Xen.
bugbot adjusting priority
An update workflow for this issue was started. This issue was rated as "moderate". Please submit fixed packages until "Dec. 15, 2015". When done, reassign the bug to "security-team@suse.de". /update/121067/.
upstream commit #00837731: eepro100: Prevent two endless loops
This is an autogenerated message for OBS integration: This bug (956829) was mentioned in https://build.opensuse.org/request/show/347102 13.2 / qemu
All SLES and OpenSUSE versions are handled.
SUSE-SU-2016:0010-1: An update that solves two vulnerabilities and has three fixes is now available. Category: security (important) Bug References: 947164,950590,953187,956829,957162 CVE References: CVE-2015-7512,CVE-2015-8345 Sources used: SUSE Linux Enterprise Server 11-SP4 (src): kvm-1.4.2-35.1 SUSE Linux Enterprise Desktop 11-SP4 (src): kvm-1.4.2-35.1
releasing SLE 12 update
SUSE-SU-2016:0020-1: An update that solves two vulnerabilities and has three fixes is now available. Category: security (important) Bug References: 947164,950590,953187,956829,957162 CVE References: CVE-2015-7512,CVE-2015-8345 Sources used: SUSE Linux Enterprise Server 11-SP3 (src): kvm-1.4.2-37.1 SUSE Linux Enterprise Desktop 11-SP3 (src): kvm-1.4.2-37.1
SUSE-SU-2016:0021-1: An update that solves two vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 947164,953187,956829,957162 CVE References: CVE-2015-7512,CVE-2015-8345 Sources used: SUSE Linux Enterprise Server 12 (src): qemu-2.0.2-48.12.1 SUSE Linux Enterprise Desktop 12 (src): qemu-2.0.2-48.12.1
Created attachment 661575 [details] FAILED fix validation attempt by QA Maintenance for SLE-12 SP1 At least for the pending SLE-12 SP1 update candidate qemu-2.3.1-7.7 this bug is apparently not fixed. The provided reproducer still is effective in creating a DoS. For details see the attached excerpt from QA Maintenance protocol http://qam.suse.de/testreports/SUSE:Maintenance:1643:86318/log
(In reply to Klaus Wagner from comment #11) > Created attachment 661575 [details] > FAILED fix validation attempt by QA Maintenance for SLE-12 SP1 > > At least for the pending SLE-12 SP1 update candidate qemu-2.3.1-7.7 > this bug is apparently not fixed. The provided reproducer still > is effective in creating a DoS. > > For details see the attached excerpt from QA Maintenance protocol > > http://qam.suse.de/testreports/SUSE:Maintenance:1643:86318/log I appreciate the effort to validate this fix. Thanks. I am wondering about your criteria for whether the bug is fixed, however. If you'll read the qemu-devel mailing list comments about this infinite loop possibility in the eepro100 emulation, it appeared to be present in the actual hardware specification, and it would be allowed to let the guest "shoot himself in the foot" if it created this infinite loop condition, especially since it requires privilege in the guest to affect the virtual hardware in this way (ie - a malicious or buggy driver). The DoS which needed to be fixed was that the QEMU emulation needed to break out of the loop and allow for other expected hypervisor controls to still work, such as the HMP or QMP monitor. Whether or not the guest can process network traffic after this eepro100 based infinite loop condition is triggered is not the right verifier for this bug.
Please provide an appropriate test case, then: - *specific* procedure - expected (good) result (after the update) - exhibited bad result/behavior before the update which this fix is supposed to address And yes, the proper place for such a reproducer is here in the bugreport, even in case the needed details could also be hunted down from a combination of external spots.
(In reply to Bruce Rogers from comment #12) > (In reply to Klaus Wagner from comment #11) > > Created attachment 661575 [details] > > FAILED fix validation attempt by QA Maintenance for SLE-12 SP1 > > > > At least for the pending SLE-12 SP1 update candidate qemu-2.3.1-7.7 > > this bug is apparently not fixed. The provided reproducer still > > is effective in creating a DoS. > > > > For details see the attached excerpt from QA Maintenance protocol > > > > http://qam.suse.de/testreports/SUSE:Maintenance:1643:86318/log > > I appreciate the effort to validate this fix. Thanks. > > I am wondering about your criteria for whether the bug is fixed, however. > If you'll read the qemu-devel mailing list comments about this infinite > loop possibility in the eepro100 emulation, it appeared to be present in > the actual hardware specification, and it would be allowed to let the > guest "shoot himself in the foot" if it created this infinite loop condition, > especially since it requires privilege in the guest to affect the virtual > hardware in this way (ie - a malicious or buggy driver). > The DoS which needed to be fixed was that the QEMU emulation needed to break > out of the loop and allow for other expected hypervisor controls to still > work, such as the HMP or QMP monitor. > > Whether or not the guest can process network traffic after this eepro100 > based infinite loop condition is triggered is not the right verifier for > this bug. Instructions for verifying this bug: When this bug exhibits itself both the guest operations and the hypervisor "normal controls" over the guest are disrupted. The main concern here is the hypervisor controls. Since QA Maintenance appears to have a reproducer within the guest set up, I won't explain that portion, but rather the rest of the test case to show the bug and show the proper behavior. Start the guest using the QEMU command line with simplified commandline options for convenience: qemu-kvm -m <guest-mem-in-mb> -drive file=<path-to-image>,if=virtio -net nic,model=i82559er,macaddr=52:54:00:12:34:56 -net tap,script=/usr/share/qemu/qemu-ifup -monitor stdio (In above commandline, substitute the approrpiate mac address and disk interface (virtio, ide, ...) as needed.) Before causing the eepro100 hardware hang, verify the QEMU monitor responsiveness by typing "info version" into the stdin of the executing qemu-kvm program (This is the QEMU monitor interface). The monitor should process the command and give the appropriate response on stdout. The QEMU monitor interface is the main administrative control point of the QEMU/KVM hypervisor over the guest VM. Trigger the in guest reproducer. Again attempt to enter the "info version" command into the QEMU monitor. If the bug is present, the monitor will not respond. If the bug is fixed, the monitor will respond as before the reproducer was triggered.
(In reply to Klaus Wagner from comment #13) > Please provide an appropriate test case, then: > > - *specific* procedure > - expected (good) result (after the update) > - exhibited bad result/behavior before the update which this fix is > supposed to address > > And yes, the proper place for such a reproducer is here in the bugreport, > even in case the needed details could also be hunted down from a combination > of external spots. We are getting ready for another round of security updates and are wondering what the progress is towards getting this SLE 12 SP1 qemu update out the door. Is there anything else you need from me?
Reassigning to security team - hoping that will provide some kick to get this update finally out the door!
SUSE-SU-2016:0459-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (important) Bug References: 954864,956829,957162 CVE References: CVE-2015-7512,CVE-2015-8345 Sources used: SUSE Linux Enterprise Server 12-SP1 (src): qemu-2.3.1-7.7 SUSE Linux Enterprise Desktop 12-SP1 (src): qemu-2.3.1-7.7
Releasing ooenSUSE Leap 42.1 update
openSUSE-SU-2016:0536-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (important) Bug References: 954864,956829,957162 CVE References: CVE-2015-7512,CVE-2015-8345 Sources used: openSUSE Leap 42.1 (src): qemu-2.3.1-12.1, qemu-linux-user-2.3.1-12.1, qemu-testsuite-2.3.1-12.2
SUSE-SU-2016:0873-1: An update that solves 43 vulnerabilities and has 5 fixes is now available. Category: security (important) Bug References: 864391,864655,864769,864805,864811,877642,897654,901508,902737,924018,928393,945404,945989,954872,956829,957162,957698,957988,958007,958009,958491,958523,958917,959005,959332,959387,959695,960334,960707,960725,960835,960861,960862,961332,961358,961691,962320,963782,963923,964413,965315,965317,967012,967013,967969,969121,969122,969350 CVE References: CVE-2013-4533,CVE-2013-4534,CVE-2013-4537,CVE-2013-4538,CVE-2013-4539,CVE-2014-0222,CVE-2014-3640,CVE-2014-3689,CVE-2014-7815,CVE-2014-9718,CVE-2015-1779,CVE-2015-5278,CVE-2015-6855,CVE-2015-7512,CVE-2015-7549,CVE-2015-8345,CVE-2015-8504,CVE-2015-8550,CVE-2015-8554,CVE-2015-8555,CVE-2015-8558,CVE-2015-8567,CVE-2015-8568,CVE-2015-8613,CVE-2015-8619,CVE-2015-8743,CVE-2015-8744,CVE-2015-8745,CVE-2015-8817,CVE-2015-8818,CVE-2016-1568,CVE-2016-1570,CVE-2016-1571,CVE-2016-1714,CVE-2016-1922,CVE-2016-1981,CVE-2016-2198,CVE-2016-2270,CVE-2016-2271,CVE-2016-2391,CVE-2016-2392,CVE-2016-2538,CVE-2016-2841 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): xen-4.5.2_06-7.1 SUSE Linux Enterprise Server 12-SP1 (src): xen-4.5.2_06-7.1 SUSE Linux Enterprise Desktop 12-SP1 (src): xen-4.5.2_06-7.1
openSUSE-SU-2016:0914-1: An update that solves 26 vulnerabilities and has 5 fixes is now available. Category: security (important) Bug References: 864391,864655,864769,864805,877642,901508,902737,924018,928393,945404,945989,954872,956829,957162,957698,959332,959695,960334,960707,960725,960835,960861,961332,961358,961691,963782,963923,964413,967012,967013,967969 CVE References: CVE-2013-4533,CVE-2013-4537,CVE-2013-4538,CVE-2013-4539,CVE-2014-0222,CVE-2014-3689,CVE-2014-7815,CVE-2014-9718,CVE-2015-1779,CVE-2015-5278,CVE-2015-6855,CVE-2015-7512,CVE-2015-8345,CVE-2015-8613,CVE-2015-8619,CVE-2015-8743,CVE-2015-8744,CVE-2015-8745,CVE-2016-1568,CVE-2016-1570,CVE-2016-1714,CVE-2016-1981,CVE-2016-2198,CVE-2016-2391,CVE-2016-2392,CVE-2016-2538 Sources used: openSUSE Leap 42.1 (src): xen-4.5.2_06-12.1 Product List: openSUSE Leap 42.1
SUSE-SU-2016:0955-1: An update that solves 46 vulnerabilities and has 5 fixes is now available. Category: security (important) Bug References: 864391,864655,864673,864678,864682,864769,864805,864811,877642,897654,901508,902737,924018,928393,945404,945989,954872,956829,957162,957988,958007,958009,958491,958523,958917,959005,959387,959695,959928,960334,960707,960725,960835,960861,960862,961332,961358,961691,962320,963782,963923,964413,965315,965317,967012,967013,967630,967969,969121,969122,969350 CVE References: CVE-2013-4527,CVE-2013-4529,CVE-2013-4530,CVE-2013-4533,CVE-2013-4534,CVE-2013-4537,CVE-2013-4538,CVE-2013-4539,CVE-2014-0222,CVE-2014-3640,CVE-2014-3689,CVE-2014-7815,CVE-2014-9718,CVE-2015-1779,CVE-2015-5278,CVE-2015-6855,CVE-2015-7512,CVE-2015-7549,CVE-2015-8345,CVE-2015-8504,CVE-2015-8550,CVE-2015-8554,CVE-2015-8555,CVE-2015-8558,CVE-2015-8567,CVE-2015-8568,CVE-2015-8613,CVE-2015-8619,CVE-2015-8743,CVE-2015-8744,CVE-2015-8745,CVE-2015-8817,CVE-2015-8818,CVE-2016-1568,CVE-2016-1570,CVE-2016-1571,CVE-2016-1714,CVE-2016-1922,CVE-2016-1981,CVE-2016-2198,CVE-2016-2270,CVE-2016-2271,CVE-2016-2391,CVE-2016-2392,CVE-2016-2538,CVE-2016-2841 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): xen-4.4.4_02-32.1 SUSE Linux Enterprise Server 11-SP4 (src): xen-4.4.4_02-32.1 SUSE Linux Enterprise Desktop 11-SP4 (src): xen-4.4.4_02-32.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): xen-4.4.4_02-32.1
openSUSE-SU-2016:0995-1: An update that fixes 33 vulnerabilities is now available. Category: security (important) Bug References: 944463,944697,945989,956829,960334,960707,960725,960835,960861,960862,961332,961358,961691,962335,962360,962611,962627,962632,962642,962758,963782,964413,964431,964452,964644,964925,964929,964950,965156,965315,965317,967012,967969 CVE References: CVE-2013-4529,CVE-2013-4530,CVE-2013-4533,CVE-2013-4534,CVE-2013-4537,CVE-2013-4538,CVE-2013-4539,CVE-2014-0222,CVE-2014-3689,CVE-2014-7815,CVE-2014-9718,CVE-2015-1779,CVE-2015-5239,CVE-2015-5278,CVE-2015-6815,CVE-2015-6855,CVE-2015-7512,CVE-2015-8345,CVE-2015-8613,CVE-2015-8619,CVE-2015-8743,CVE-2015-8744,CVE-2015-8745,CVE-2016-1568,CVE-2016-1570,CVE-2016-1571,CVE-2016-1714,CVE-2016-1981,CVE-2016-2198,CVE-2016-2270,CVE-2016-2271,CVE-2016-2392,CVE-2016-2538 Sources used: openSUSE 13.2 (src): xen-4.4.4_02-43.1
SUSE-SU-2016:1745-1: An update that solves 35 vulnerabilities and has 5 fixes is now available. Category: security (important) Bug References: 864391,864655,864673,864678,864682,864769,864805,864811,877642,897654,901508,902737,928393,945404,945989,954872,956829,957162,957988,958007,958009,958491,958523,959005,959695,959928,960707,960725,960861,960862,961332,961691,963782,965315,965317,967012,967013,967630,967969,969350 CVE References: CVE-2013-4527,CVE-2013-4529,CVE-2013-4530,CVE-2013-4533,CVE-2013-4534,CVE-2013-4537,CVE-2013-4538,CVE-2013-4539,CVE-2014-0222,CVE-2014-3640,CVE-2014-3689,CVE-2014-7815,CVE-2014-9718,CVE-2015-5278,CVE-2015-6855,CVE-2015-7512,CVE-2015-8345,CVE-2015-8504,CVE-2015-8550,CVE-2015-8554,CVE-2015-8555,CVE-2015-8558,CVE-2015-8743,CVE-2015-8745,CVE-2016-1568,CVE-2016-1570,CVE-2016-1571,CVE-2016-1714,CVE-2016-1981,CVE-2016-2270,CVE-2016-2271,CVE-2016-2391,CVE-2016-2392,CVE-2016-2538,CVE-2016-2841 Sources used: SUSE Linux Enterprise Server 11-SP3-LTSS (src): xen-4.2.5_20-24.9 SUSE Linux Enterprise Debuginfo 11-SP3 (src): xen-4.2.5_20-24.9