P J P
2018-11-29 09:15:05 UTC
Hello,
An integer overflow resulting in memory corruption issue was found in various
Bluetooth functions. It could occur in routines wherein 'len' parameter is a
'signed int' which subsequently converts to an unsigned integer resulting in
memcpy() copying large amounts of memory.
A user inside guest could use this flaw to crash the Qemu process resulting in
DoS.
Upstream patch:
---------------
-> https://lists.gnu.org/archive/html/qemu-devel/2018-11/msg03570.html
This issue was reported by Arash TC
Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
An integer overflow resulting in memory corruption issue was found in various
Bluetooth functions. It could occur in routines wherein 'len' parameter is a
'signed int' which subsequently converts to an unsigned integer resulting in
memcpy() copying large amounts of memory.
A user inside guest could use this flaw to crash the Qemu process resulting in
DoS.
Upstream patch:
---------------
-> https://lists.gnu.org/archive/html/qemu-devel/2018-11/msg03570.html
This issue was reported by Arash TC
Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F