BF Specification of BFCVE-2007-1320 — Heap Buffer Overflows in the Cirrus VGA extension in QEMU 0.8.2
Missing Code (in in cirrus_invalidate_region() and others) to Correct (upper bound via applying & s->cirrus_addr_mask) of In Use data using Quantity mechanism in Codebase source code (hw/cirrus_vga.c#L642 hw/cirrus_vga.c#L657 hw/cirrus_vga.c#L674 hw/cirrus_vga.c#L693-#L694 hw/cirrus_vga.c#L744-#L745 w/cirrus_vga.c#L771-#L772 hw/cirrus_vga.c#L804-#L805 hw/cirrus_vga.c#L1923 hw/cirrus_vga.c#L1946) in Bare-Metal execution space (Xen bare-metal hypervisor) leads to Wrong Value (off_cur_end) error, which propagates to
Wrong Size (in in 'while (off_cur < off_cur_end)') to Reposition (pointer) on Heap with Used size using Direct mechanism in Codebase source code (hw/cirrus_vga.c#L664) in Bare-Metal execution space (Xen bare-metal hypervisor) that results in Overbound Pointer (s->vram_offset + off_cur) error, which propagates to
Overbound Pointer (in in 'cpu_physical_memory_set_dirty(s->vram_offset + off_cur)') to Write using Sequential mechanism in Codebase source code (hw/cirrus_vga.c#L645) in Bare-Metal execution space (Xen bare-metal hypervisor) that results in Buffer Overflow (heap) final error, which can be exploited toward
Arbitrary Code Execution (ACE) (Everything Could be Lost) or Denial of Service (DOS) (Availability Loss) security failure.
| vendor:product: qemu:qemu | Bug Report | Code with Bug | Code with Fix | NVD Entry |
| Class | Definition |
| DVR | Data Verification (DVR) class – Data are verified (semantics check) or corrected (assign, remove) improperly. |
| MAD | Memory Addressing (MAD) class – The pointer to an object is initialized, repositioned, or reassigned to an improper memory address. |
| MUS | Memory Use (MUS) class – An object is initialized, read, written, or cleared improperly. |
| Operation | Definition |
| Verify | Verify operation – Check data semantics (proper value/meaning) in order to accept (and possibly correct) or reject it. |
| Reposition | Reposition operation – Change the pointer to another position inside its object. |
| Write | Write operation – Change the data value of an object to another meaningful value. |
| Cause/Consequence | Definition |
| Code Defect Bug | Code Defect bug type operation – The operation has a bug, which is the first cause for the chain of weaknesses underlying a software security vulnerability. The bug must be fixed to resolve the vulnerability. |
| Missing Code | Missing Code bug – The entire operation implementation or a part of its specification is absent. |
| Data Error/Fault | Data fault/error type – The object data has harmed semantics or inconsistent or wrong value |
| Wrong Value | Wrong Value fault/error – Data value is not accurate value (e.g., outside of a range). |
| Wrong Size | Wrong Size fault/error – The value used as size does not match the actual size of the object. |
| Address Error/Fault | Address fault/error type – The object address in use is wrong. |
| Over Bounds Pointer | Over Bounds Pointer fault/error – Points above the upper boundary of its object. |
| Memory Corruption/Disclosure Final Error | Memory Corruption/Disclosure exploitable error type – An exploitable or undefined system behavior caused by memory addressing, allocation, use, and deallocation bugs. |
| Buffer Overflow | Buffer Overflow exploitable error – Writes above the upper bound of an object – aka Buffer Over-Write. |
| Operation Attribute | Definition |
| Mechanism | Mechanism operation attribute type – Shows how the buggy/faulty operation code is performed. |
| Range | Range operation attribute – Checking data are within a (min, max) interval. |
| Direct | Direct operation attribute – The operation is performed on a particular object element. |
| Source Code | Source Code operation attribute type – Shows where the buggy/faulty operation code is in the program – in what kind of software. |
| Codebase | Codebase operation attribute – The operation is in the programmer's code - in the application itself. |
| Execution Space | Execution Space operation attribute type – Shows where the buggy/faulty operation code is running or with what privilege level). |
| Bare-Metal | Bare-Metal operation attribute – The bugged code runs in an environment without privilege control. Usually, the program is the only software running and has total access to the hardware. |
| Operand Attribute | Definition |
| Data State | State operand attribute type operand attribute – Shows where the data come from. |
| In Use | In Use operand attribute – The data are from a volatile storage (e.g., RAM, cache memory). |
| Address State | State operand attribute type – Shows where the address is in the memory layout. |
| Heap | Heap operand attribute – The object is a dynamically allocated data structure (e.g., via malloc() and new). |
| Size Kind | Kind operand attribute type – Shows what the limit for traversal of the object is. |
| Used | Used operand attribute – A supplied size for an object. |