CVE-2015-3214 – QEMU - Programmable Interrupt Timer Controller Heap Overflow

https://notcve.org/view.php?id=CVE-2015-3214

The pit_ioport_read in i8254.c in the Linux kernel before 2.6.33 and QEMU before 2.3.1 does not distinguish between read lengths and write lengths, which might allow guest OS users to execute arbitrary code on the host OS by triggering use of an invalid index. Vulnerabilidad en pit_ioport_read en i8254.c en el kernel de Linux en versiones anteriores a 2.6.33 y en QEMU en versiones anteriores a 2.3.1, no distingue entre longitudes de lectura y longitudes de escritura, lo que podría permitir a los usuarios invitados del SO ejecutar código arbitrario en el host del SO desencadenando el uso de un índice no válido. An out-of-bounds memory access flaw, leading to memory corruption or possibly an information leak, was found in QEMU's pit_ioport_read() function. A privileged guest user in a QEMU guest, which had QEMU PIT emulation enabled, could potentially, in rare cases, use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process. • https://www.exploit-db.com/exploits/37990 http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ee73f656a604d5aa9df86a97102e4e462dd79924 http://mirror.linux.org.au/linux/kernel/v2.6/ChangeLog-2.6.33 http://rhn.redhat.com/errata/RHSA-2015-1507.html http://rhn.redhat.com/errata/RHSA-2015-1508.html http://rhn.redhat.com/errata/RHSA-2015-1512.html http://www.debian.org/security/2015/dsa-3348 http://www.openwall.com/lists/oss-security/2015/06/25/7 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •