CVE-2016-7907

Description

The imx_fec_do_tx function in hw/net/imx_fec.c in QEMU (aka Quick Emulator) does not properly limit the buffer descriptor count when transmitting packets, which allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via vectors involving a buffer descriptor with a length of 0 and crafted values in bd.flags.

CVSS Metrics

• v3.1•MEDIUM•Score: 4.4CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
• v2.0•LOW•Score: 2.1AV:L/AC:L/Au:N/C:N/I:N/A:P

EPSS Trends

Current EPSS score: 0.11%• Percentile: 29%

Techniques & Countermeasures

• CWE-20•Improper Input Validation

  The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

• CWE-399•Resource Management Errors

  Weaknesses in this category are related to improper management of system resources.

Affected Systems

• qemu•qemu

  ≤ 2.8.1.1 | 2.9.0:rc0 | 2.9.0:rc1 | 2.9.0:rc2 | 2.9.0:rc3 | 2.9.0:rc4 | 2.9.0:rc5

References (6)

• http://www.openwall.com/lists/oss-security/2016/10/03/1
• https://security.gentoo.org/glsa/201611-11
• http://lists.opensuse.org/opensuse-updates/2016-12/msg00140.html
• https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg05556.html
• http://www.securityfocus.com/bid/93274
• http://www.openwall.com/lists/oss-security/2016/10/03/4