[Qemu-devel] [PATCH 0/2] slirp: Fix heap buffer overflow during packet reassembly (CVE-2019-14378)

Philippe Mathieu-Daudé posted 2 patches 4 years, 7 months ago
Failed in applying to current master (apply log)
src/ip_input.c | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
[Qemu-devel] [PATCH 0/2] slirp: Fix heap buffer overflow during packet reassembly (CVE-2019-14378)
Posted by Philippe Mathieu-Daudé 4 years, 7 months ago
Hi, this is a SLiRP bug, however as QEMU comsumes the library, it is
directly concerned, so I'm cross-posting both QEMU and SLiRP lists
for a stricter review.

The 2nd patch is a PoC, to give QEMU a chance to shutdown properly
if SLiRP internals get corrupted. Simply sent as RFC.

The vulnerability is very well described here:
https://vishnudevtj.github.io/notes/qemu-vm-escape-cve-2019-14378

Exploit (used as reproducer):
https://github.com/vishnudevtj/exploits/blob/master/qemu/CVE-2019-14378/exp.c

Philippe Mathieu-Daudé (2):
  Do not reassemble fragments pointing outside of the original payload
  RFC Delay crash when mbufs are corrupted

 src/ip_input.c | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

-- 
2.20.1