BF Specification of CVE-2008-4539 “BitBlt” heap overflow in Cirrus VGA in KVM before kvm-82 and QEMU on Debian GNU/Linux and Ubuntu

Erroneous verification of pointers towards a upper limit leads to use of an inconsistent size for an object, allowing a pointer reposition over its bounds, which, when used to in 'cirrus_do_copy()' leads to a heap buffer overflow. If exploited, this can lead to arbitrary code execution.

//generated// Erroneous Code (in ‘cirrus_bitblt_videotovideo_copy() misplaced ‘BLTUNSAFE(s)’ check) to Range Verify (fixed with trancation via ‘& s->cirrus_addr_mask’) In Use in Codebase (hw/cirrus_vga.c#L793-#L796) Bare-Metal (Xen bare-metal hypervisor) leads to Wrong Value

, which propagates to Wrong Size Direct Reposition (‘cirrus_do_copy()’) Heap Used Codebase (hw/cirrus_vga.c#L789-#L791) in Bare-Metal (Xen bare-metal hypervisor) resulting in Over Bounds Pointer

, which propagates to Over Bounds Pointer (in e.g., ‘cpu_physical_memory_set_dirty(s->vram_offset + off_cur)’) Direct Write Heap Codebase (hw/cirrus_vga.c#L789-#L791) in Bare-Metal (Xen bare-metal hypervisor) resulting in Buffer Overflow

. If exploited this can lead to ACE (everything could be lost).

vendor:product: kvm_qumranet:kvm

Bug Report

Code with Bug

Code with Fix

NVD Entry

DVRData Verification (DVR) class – Data are verified (semantics check) or corrected (assign, remove) improperly.
MADMemory Addressing (MAD) class – The pointer to an object is initialized, repositioned, or reassigned to an improper memory address.
MUSMemory Use (MUS) class – An object is initialized, read, written, or cleared improperly.
VerifyVerify operation – Check data semantics (proper value/meaning) in order to accept (and possibly correct) or reject it.
RepositionReposition operation – Change the pointer to another position inside its object.
WriteWrite operation – Change the data value of an object to another meaningful value.
Code BugCode Bug type – Defect in the implementation of the operation – proper operands over an improper operation. A first cause for the chain of weaknesses underlying a software security vulnerability. Must be fixed to resolve the vulnerability.
   Erroneous CodeErroneous Code bug - There is a coding error in the implementation of the operation.
Data Error/FaultData Fault/Error type – The object data has harmed semantics or inconsistent or wrong value.
   Wrong ValueWrong Value fault/error – The value of the data is not accurate (e.g., outside of a range).
   Wrong SizeWrong Size fault/error – The value used as size does not match the actual size of the object (e.g., to restrict pointer repositioning or index increment/decrement in a repetition statement).
Address Error/FaultAddress Fault/Error type – The object address in use is wrong.
   Over Bounds PointerOver Bounds Pointer fault/error – Holds an address above the upper boundary of its object.
Memory Corruption/Disclosure Final ErrorMemory Corruption/Disclosure exploitable error type – An exploitable or undefined system behavior caused by memory addressing, allocation, use, and deallocation bugs.
   Buffer OverflowBuffer Overflow exploitable error – Writing above the upper bound of an object – aka Buffer Over-Write.
Operation AttributeDefinition
MechanismMechanism operation attribute type – Shows how the buggy/faulty operation code is performed.
   RangeRange operation attribute – The operation checks data are within a (min, max) interval.
   DirectDirect operation attribute – The operation is on a particular object element.
Source CodeSource Code operation attribute type – Shows where the buggy/faulty operation code is in software or firmware.
   CodebaseCodebase operation attribute – The operation is in the programmer's code - in the application itself.
Execution SpaceExecution Space operation attribute type – Shows where the buggy/faulty operation code is running or with what privilege level.
   Bare-MetalBare-Metal operation attribute – The bugged code runs in an environment without privilege control. Usually, the program is the only software running and has total access to the hardware.
Operand AttributeDefinition
Data StateData State operand attribute type operand attribute – Shows where the data come from.
   In UseIn Use operand attribute – Data are from a volatile storage (e.g., RAM, cache memory).
Address StateAddress State operand attribute type - Shows where the address is in the memory layout.
   HeapHeap operand attribute – The object is a dynamically allocated data structure (e.g., via malloc() and new).
Size KindSize Kind operand attribute type – Shows what the limit for traversal of the object is.
   UsedUsed operand attribute – A supplied size for an object.