[Slirp] [PATCH 0/2] slirp: Fix heap buffer overflow during packet reassembly (CVE-2019-14378)
Philippe Mathieu-Daudé
philmd at redhat.com
Thu Aug 22 14:41:32 UTC 2019
Hi, this is a SLiRP bug, however as QEMU comsumes the library, it is
directly concerned, so I'm cross-posting both QEMU and SLiRP lists
for a stricter review.
The 2nd patch is a PoC, to give QEMU a chance to shutdown properly
if SLiRP internals get corrupted. Simply sent as RFC.
The vulnerability is very well described here:
https://vishnudevtj.github.io/notes/qemu-vm-escape-cve-2019-14378
Exploit (used as reproducer):
https://github.com/vishnudevtj/exploits/blob/master/qemu/CVE-2019-14378/exp.c
Philippe Mathieu-Daudé (2):
Do not reassemble fragments pointing outside of the original payload
RFC Delay crash when mbufs are corrupted
src/ip_input.c | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
--
2.20.1
More information about the Slirp
mailing list