Welcome, Guest! Log In | Create Account

Share August 2004: Project of the Month

Bochs x86 PC emulator

Tracker: Bugs

5 Various security issues in io device emulation - ID: 1729822
Last Update: Comment added ( vruppert )

Hi,

Short intro I'm a linux enthousiast/developer. Lately I'm mainly active as
a package maintainer for the Fedora distribution, as such I recently
received this bug report:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=241799

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2894

"The emulated floppy disk controller in Bochs 2.3 allows local users of
the
guest operating system to cause a denial of service (virtual machine crash)
via
unspecified vectors, resulting in a divide-by-zero error."

Notice that http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2894 points to:
http://www.frsirt.com/english/advisories/2007/1936

Which says:
Two vulnerabilities have been identified in Bochs, which could be exploited
by malicious users to execute arbitrary code or cause a denial of service.

The first issue is caused by a heap overflow error in the emulated NE2000
device that allows a large value in the TXCNT register to exceed the
available memory, which could be exploited by an attacker with "root"
privileges on a vulnerable guest system to execute arbitrary code on the
host system.

The second vulnerability is caused by a divide-by-zero in the emulated
floppy disk controller, which could be exploited by malicious users to
terminate the bochs process, creating a denial of service condition.

So there is not one but 2 issues!

Hans de Goede ( jwrdegoede ) - 2007-06-02 07:48

5

Closed

Fixed

Nobody/Anonymous

I/O Device

None

Public


Comments ( 3 )




Date: 2007-08-22 07:13
Sender: vruppertProject Admin


From my point of view a divide-by-zero can no longer happen in the floppy
code. I'll close this bug report now. Please open a new item when you find
out that this critical bug still exists.

Date: 2007-08-21 17:53
Sender: jwrdegoede


I can confirm that the ne2000 problem indeed is fixed, as for the floppy
problem, I'm not the finder if it, I merely relayed the report. I've read
the original finder of the problems report and he used a feed (semi) random
data test to test the robustness on the floppy driver and found the divide
by zero error that way. Since you've looked for divide's by zero in the
floppy earlier (AFAIK) and couldn't find any then, I guess you now have
found the last one which the random feed managed to trigger (notice the
finder of the problem only saw this once, so it was hard to trigger).

So I _believe_ that all is well now, but I cannot confirm it, as there was
no way to (reliable) reproduce the divide by zerro error, and I thus cannot
test if its fixed now.

Date: 2007-08-21 14:26
Sender: vruppertProject Admin


The NE2000 problem is already fixed and in the floppy code I have fixed a
possible division-by-zero error today. Can you confirm that both issues are
fixed now?

Log in to comment.

Attached File

No Files Currently Attached

Changes ( 3 )

Field Old Value Date By
status_id Open 2007-08-22 07:13 vruppert
resolution_id None 2007-08-22 07:13 vruppert
close_date - 2007-08-22 07:13 vruppert


About SourceForge

Find Software

Develop Software

Community

Help

Copyright © 2010 Geeknet, Inc. All rights reserved. Terms of Use