Li Qiang

**Nome do software vulnerável e versões afetadas** QEMU versão 4.2.0 **Descrição** A vulnerabilidade está relacionada a um estouro de buffer no componente hw/net/tulip.c do emulador de hardware QEMU. Isso ocorre durante a cópia dos buffers tx/rx, pois o tamanho do quadro não é validado em relação ao comprimento dos dados de leitura/gravação. A exploração desse problema pode permitir que um invasor remoto acesse dados confidenciais, comprometa a integridade dos dados e cause uma negação de serviço. **Recomendações** Para a versão 4.2.0 do QEMU, como solução temporária, considere desativar o componente `hw/net/tulip.c` até que um patch esteja disponível. Restrinja o acesso aos buffers `tx/rx` vulneráveis para minimizar o risco de exploração. Evite usar o componente `hw/net/tulip.c` na versão afetada do QEMU até que a vulnerabilidade seja resolvida. No momento, não há informações sobre uma versão mais recente que contenha uma correção para essa vulnerabilidade.

**Name of the Vulnerable Software and Affected Versions** QEMU (affected versions not specified) **Description** A heap buffer out-of-bounds read/write access issue was discovered in the NVM Express Controller emulation of QEMU, specifically in the nvme cmb ops routines of the nvme device. This issue could allow a guest user or process to crash the QEMU process, resulting in a denial of service (DoS), or potentially execute arbitrary code with the privileges of the QEMU process. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** QEMU (affected versions not specified) **Description** A stack-based buffer overflow issue exists, allowing local guest OS users to cause a denial of service by crashing the QEMU process. This issue is related to logging debug messages in the hw/usb/redirect.c component. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** QEMU (aka Quick Emulator) versions prior to the fixed version **Description** A memory leak issue exists, allowing local guest OS privileged users to cause a denial of service through memory consumption. This issue involves the `orig value` variable in the `v9fs list xattr` function. **Recommendations** For QEMU versions prior to the fixed version, consider updating to a version that includes the fix for this issue to prevent memory consumption denial of service attacks.

**Name of the Vulnerable Software and Affected Versions** QEMU (aka Quick Emulator) versions prior to the fixed version **Description** The issue allows local guest OS privileged users to cause a denial of service, specifically file descriptor or memory consumption, via certain vectors related to an already in-use fid. This is due to the v9fs create and v9fs lcreate functions in hw/9pfs/9p.c. **Recommendations** For QEMU versions prior to the fixed version, consider restricting access to the v9fs create and v9fs lcreate functions as a temporary workaround until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** QEMU (affected versions not specified) **Description** The issue is caused by an integer overflow in the hw/virtio/virtio-crypto.c component of QEMU, allowing local guest OS privileged users to cause a denial of service (QEMU process crash) or possibly execute arbitrary code on the host. This can be achieved by sending a crafted virtio-crypto request, which triggers a heap-based buffer overflow. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 4.10.6 **Description** The issue is caused by an integer overflow in the `vmw surface define ioctl` function. This can be exploited by a local attacker to cause a denial of service, such as a system hang or crash, or possibly gain privileges, by making a crafted ioctl call for a `/dev/dri/renderD*` device. The exploitation allows for out-of-bounds write, which can lead to system instability or privilege escalation. **Recommendations** For Linux kernel versions prior to 4.10.6, update to version 4.10.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the `/dev/dri/renderD*` device to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** virglrenderer versions prior to 0.6.0 **Description** The issue allows local guest OS users to cause a denial of service, resulting in an out-of-bounds array access and a QEMU process crash. This is achieved through vectors involving `vertext buffer index`. **Recommendations** For versions prior to 0.6.0, update to version 0.6.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** virglrenderer versions prior to 0.6.0 **Description** The issue is related to a memory leak in the `virgl resource attach backing` function. This leak allows local guest OS users to cause a denial of service by consuming memory through a large number of `VIRTIO GPU CMD RESOURCE ATTACH BACKING` commands. **Recommendations** For versions prior to 0.6.0, update to version 0.6.0 or later to resolve the issue. As a temporary workaround, consider restricting the number of `VIRTIO GPU CMD RESOURCE ATTACH BACKING` commands that can be executed to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** virglrenderer versions prior to 0.6.0 **Description** The issue allows local guest OS users to cause a denial of service by destroying context 0, resulting in a NULL pointer dereference and a QEMU process crash. This is due to a problem in the `vrend decode reset` function. **Recommendations** For versions prior to 0.6.0, update to version 0.6.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the `vrend decode reset` function to prevent the destruction of context 0 until a patch is available.

**Name of the Vulnerable Software and Affected Versions** virglrenderer versions prior to 0.6.0 **Description** The issue is related to a heap-based buffer overflow in the `vrend create vertex elements state` function, located in `vrend renderer.c`. This occurs when the `num elements` parameter is used to cause an out-of-bounds array access, leading to a denial of service and potential crash. **Recommendations** For versions prior to 0.6.0, update to version 0.6.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `vrend create vertex elements state` function until a patch is available. Avoid using the `num elements` parameter in a way that could cause an out-of-bounds array access until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** virglrenderer versions prior to 0.6.0 **Description** The issue is related to a memory leak in the `add shader program` function, which can be exploited by local guest OS users to cause a denial of service through host memory consumption. This is achieved via vectors involving the `sprog` variable. **Recommendations** For versions prior to 0.6.0, update to version 0.6.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** virglrenderer versions prior to 0.6.0 **Description** The issue is related to a memory leak in the `vrend renderer context create internal` function in `vrend decode.c`. This allows local guest OS users to cause a denial of service by repeatedly creating a decode context, resulting in host memory consumption. **Recommendations** For versions prior to 0.6.0, update to version 0.6.0 or later to resolve the issue. As a temporary workaround, consider restricting the creation of decode contexts to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** virglrenderer versions prior to 0.6.0 **Description** The issue is related to a stack-based buffer overflow in the `parse identifier` function, located in the `tgsi text.c` file within the TGSI auxiliary module of the Gallium driver in virglrenderer. This overflow allows local guest OS users to cause a denial of service by accessing an array out of its bounds, leading to a crash of the QEMU process. The vulnerability is related to vectors associated with parsing properties. **Recommendations** For versions prior to 0.6.0, update to version 0.6.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the `parse identifier` function in the `tgsi text.c` file until a patch is available.

**Name of the Vulnerable Software and Affected Versions** virglrenderer versions prior to 0.6.0 **Description** The issue allows local guest OS users to cause a denial of service, resulting in an out-of-bounds array access and process crash, via a crafted texture instruction. This is due to a problem in the parse instruction function. **Recommendations** For versions prior to 0.6.0, update to version 0.6.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** virglrenderer (affected versions not specified) **Description** The issue is related to a memory leak in the `vrend create vertex elements state` function in `vrend renderer.c`. This allows local guest OS users to cause a denial of service by consuming host memory via a large number of `VIRGL OBJECT VERTEX ELEMENTS` commands. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** libcacard versions prior to 2.5.3 **Description** The issue is related to a memory leak in the `vcard apdu new` function, located in the `card 7816.c` file of the libcacard library. This memory leak allows local guest OS users to cause a denial of service by consuming host memory. The denial of service is achieved through vectors related to allocating a new APDU object. **Recommendations** For versions prior to 2.5.3, update to version 2.5.3 or later to resolve the issue. As a temporary workaround, consider restricting the allocation of new APDU objects to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** virglrenderer versions 0.6.0 and earlier **Description** The issue allows local guest OS users to cause a denial of service via a crafted VIRGL CCMD CLEAR command, resulting in a NULL pointer dereference. This occurs due to a problem in the util format is pure uint function in vrend renderer.c. **Recommendations** For virglrenderer versions 0.6.0 and earlier, at the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** virglrenderer versions prior to 0.6.0 **Description** The issue is related to a memory leak in the `vrend renderer init blit ctx` function, located in `vrend blitter.c`. This leak can be triggered by local guest OS users, allowing them to cause a denial of service by consuming host memory. The memory leak is exploited via a large number of `VIRGL CCMD BLIT` commands. **Recommendations** For versions prior to 0.6.0, update to version 0.6.0 or later to resolve the issue. As a temporary workaround, consider restricting the number of `VIRGL CCMD BLIT` commands to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** QEMU versions prior to 2.9.0 **Description** The issue allows local guest OS users to cause a denial of service, resulting in an infinite loop. This is achieved through vectors involving the number of link endpoint list descriptors in the ohci service ed list function. **Recommendations** For versions prior to 2.9.0, update to version 2.9.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the ohci service ed list function in hw/usb/hcd-ohci.c to minimize the risk of exploitation.