Multiple integer overflows in the block drivers in QEMU, possibly before 2.0.0, allow local users to cause a denial of service (crash) via a crafted catalog size in (1) the parallels_open function in block/parallels.c or (2) bochs_open function in bochs.c, a large L1 table in the (3) qcow2_snapshot_load_tmp in qcow2-snapshot.c or (4) qcow2_grow_l1_table function in qcow2-cluster.c, (5) a large request in the bdrv_check_byte_request function in block.c and other block drivers, (6) crafted cluster indexes in the get_refcount function in qcow2-refcount.c, or (7) a large number of blocks in the cloop_open function in cloop.c, which trigger buffer overflows, memory corruption, large memory allocations and out-of-bounds read and writes.
The product performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Enterprise_linux | Redhat | 6.0 (including) | 6.0 (including) |
OpenStack 3 for RHEL 6 | RedHat | qemu-kvm-rhev-2:0.12.1.2-2.415.el6_5.8 | * |
OpenStack 4 for RHEL 6 | RedHat | qemu-kvm-rhev-2:0.12.1.2-2.415.el6_5.8 | * |
Red Hat Enterprise Linux 6 | RedHat | qemu-kvm-2:0.12.1.2-2.415.el6_5.8 | * |
RHEV 3.X Hypervisor and Agents for RHEL-6 | RedHat | qemu-kvm-rhev-2:0.12.1.2-2.415.el6_5.8 | * |
RHEV 3.X Hypervisor and Agents for RHEL-6 | RedHat | rhev-hypervisor6-0:6.5-20140603.2.el6ev | * |
Qemu | Ubuntu | saucy | * |
Qemu | Ubuntu | upstream | * |
Qemu-kvm | Ubuntu | lucid | * |
Qemu-kvm | Ubuntu | precise | * |
Qemu-kvm | Ubuntu | quantal | * |