Qemu's VNC implementation will perform a null pointer dereference and cause a segmentation fault if the bits per pixel in the client's set pixel format message is between 0 and 7

Solution Verified - Updated -

Issue

  • Qemu's VNC implementation will perform a null pointer dereference and cause a segmentation fault if the bits per pixel in the client's set pixel format message is between 0 and 7.vs->client_pf.bytes_per_pixel is set to the client's stated bit per pixel value divided by 8, hence 0 to 7 will cause this value to be zero.
  • Thus, the buffer is never initialized. Later on, it is dereferenced and the Qemu process segfaults and crashes. The entire virtual machine instance quits running.
  • Threat: The effect of this bug is that an attacker able to access VNC on the compute node, which is currently not password protected, is able to crash arbitrary client VM instances.
  • It is also notable that if the attacker is able to gain the novnc-proxy token in use by a victim, he can trigger this bug through the novnc-proxy web interface.
  • Unlike using VNC to instruct the VM guest OS to shut down, an attacker can exploit this bug regardless of whether the VM's screen is locked or a user is currently logged in.

Environment

  • Red Hat Enterprise Linux 7.1
  • QEMU 1.5.3

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content