QEMU - Stack Buffer Overflow in NBD Server Triggered via Long Export Name

EDB-ID: 43194
Author: Eric Blake
Published: 2017-11-29
CVE: CVE-2017-15118
Type: Dos
Platform: Linux
Aliases: N/A
Advisory/Source: Link
Tags: Buffer Overflow
Vulnerable App: N/A

 can request export names up to 4096 bytes in length, even though 
they should not expect success on names longer than 256. However,
qemu hard-codes the limit of 256, and fails to filter out a client
that probes for a longer name; the result is a stack smash that can
potentially give an attacker arbitrary control over the qemu

The smash can be easily demonstrated with this client:

$ qemu-io f raw nbd://localhost:10809/$(printf %3000d 1 | tr ' ' a)

If the qemu NBD server binary (whether the standalone qemu-nbd, or
the builtin server of QMP nbd-server-start) was compiled with
-fstack-protector-strong, the ability to exploit the stack smash
into arbitrary execution is a lot more difficult (but still
theoretically possible to a determined attacker, perhaps in
combination with other CVEs). Still, crashing a running qemu (and
losing the VM) is bad enough, even if the attacker did not obtain
full execution control.

Related Posts