[Qemu-devel] [PATCH 0/2] slirp: Fix heap buffer overflow during packet r

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] [PATCH 0/2] slirp: Fix heap buffer overflow during packet r

From:	Philippe Mathieu-Daudé
Subject:	[Qemu-devel] [PATCH 0/2] slirp: Fix heap buffer overflow during packet reassembly (CVE-2019-14378)
Date:	Thu, 22 Aug 2019 16:41:32 +0200

Hi, this is a SLiRP bug, however as QEMU comsumes the library, it is
directly concerned, so I'm cross-posting both QEMU and SLiRP lists
for a stricter review.

The 2nd patch is a PoC, to give QEMU a chance to shutdown properly
if SLiRP internals get corrupted. Simply sent as RFC.

The vulnerability is very well described here:
https://vishnudevtj.github.io/notes/qemu-vm-escape-cve-2019-14378

Exploit (used as reproducer):
https://github.com/vishnudevtj/exploits/blob/master/qemu/CVE-2019-14378/exp.c

Philippe Mathieu-Daudé (2):
  Do not reassemble fragments pointing outside of the original payload
  RFC Delay crash when mbufs are corrupted

 src/ip_input.c | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

-- 
2.20.1

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] [PATCH 0/2] slirp: Fix heap buffer overflow during packet reassembly (CVE-2019-14378), Philippe Mathieu-Daudé <=
- [Qemu-devel] [PATCH 1/2] Do not reassemble fragments pointing outside of the original payload, Philippe Mathieu-Daudé, 2019/08/22
  - Re: [Qemu-devel] [Slirp] [PATCH 1/2] Do not reassemble fragments pointing outside of the original payload, Samuel Thibault, 2019/08/22
    - Re: [Qemu-devel] [Slirp] [PATCH 1/2] Do not reassemble fragments pointing outside of the original payload, Philippe Mathieu-Daudé, 2019/08/23
    - Re: [Qemu-devel] [Slirp] [PATCH 1/2] Do not reassemble fragments pointing outside of the original payload, Samuel Thibault, 2019/08/25
    - Re: [Qemu-devel] [Slirp] [PATCH 1/2] Do not reassemble fragments pointing outside of the original payload, P J P, 2019/08/29
    - Re: [Qemu-devel] [Slirp] [PATCH 1/2] Do not reassemble fragments pointing outside of the original payload, Philippe Mathieu-Daudé, 2019/08/29
    - Re: [Qemu-devel] [Slirp] [PATCH 1/2] Do not reassemble fragments pointing outside of the original payload, Philippe Mathieu-Daudé, 2019/08/29
    - Re: [Qemu-devel] [Slirp] [PATCH 1/2] Do not reassemble fragments pointing outside of the original payload, Philippe Mathieu-Daudé, 2019/08/29
- [Qemu-devel] [RFC PATCH 2/2] Delay crash when mbufs are corrupted, Philippe Mathieu-Daudé, 2019/08/22

Prev by Date: Re: [Qemu-devel] [PATCH v1 1/2] accel/tcg: adding integration with linux perf
Next by Date: [Qemu-devel] [PATCH 1/2] Do not reassemble fragments pointing outside of the original payload
Previous by thread: [Qemu-devel] [PULL 0/7] First batch of s390x changes for 4.2
Next by thread: [Qemu-devel] [PATCH 1/2] Do not reassemble fragments pointing outside of the original payload
Index(es):
- Date
- Thread