BF Specification of CVE-2007-1320 — Heap Buffer Overflows in the Cirrus VGA extension in QEMU 0.8.2
Missing Code (in in cirrus_invalidate_region() and others) to Correct (upper bound via applying & s->cirrus_addr_mask) of In Use data using Quantity mechanism in Codebase source code (hw/cirrus_vga.c#L642 hw/cirrus_vga.c#L657 hw/cirrus_vga.c#L674 hw/cirrus_vga.c#L693-#L694 hw/cirrus_vga.c#L744-#L745 w/cirrus_vga.c#L771-#L772 hw/cirrus_vga.c#L804-#L805 hw/cirrus_vga.c#L1923 hw/cirrus_vga.c#L1946) in Bare-Metal execution space (Xen bare-metal hypervisor) leads to Wrong Value (off_cur_end) error, which propagates to
Wrong Size (in in 'while (off_cur < off_cur_end)') to Reposition (pointer) on Heap with Used size using Direct mechanism in Codebase source code (hw/cirrus_vga.c#L664) in Bare-Metal execution space (Xen bare-metal hypervisor) that results in Overbound Pointer (s->vram_offset + off_cur) error, which propagates to
Overbound Pointer (in in 'cpu_physical_memory_set_dirty(s->vram_offset + off_cur)') to Write using Sequential mechanism in Codebase source code (hw/cirrus_vga.c#L645) in Bare-Metal execution space (Xen bare-metal hypervisor) that results in Buffer Overflow (heap) final error, which can be exploited toward
Arbitrary Code Execution (ACE) (Everything Could be Lost) or Denial of Service (DOS) (Availability Loss) security failure.
Wrong Size (in in 'while (off_cur < off_cur_end)') to Reposition (pointer) on Heap with Used size using Direct mechanism in Codebase source code (hw/cirrus_vga.c#L664) in Bare-Metal execution space (Xen bare-metal hypervisor) that results in Overbound Pointer (s->vram_offset + off_cur) error, which propagates to
Overbound Pointer (in in 'cpu_physical_memory_set_dirty(s->vram_offset + off_cur)') to Write using Sequential mechanism in Codebase source code (hw/cirrus_vga.c#L645) in Bare-Metal execution space (Xen bare-metal hypervisor) that results in Buffer Overflow (heap) final error, which can be exploited toward
Arbitrary Code Execution (ACE) (Everything Could be Lost) or Denial of Service (DOS) (Availability Loss) security failure.
|
| Class | Definition |
| DVR | Data Verification (DVR) class – Data are verified (i.e., semantics check) or corrected (i.e., assign or remove) improperly. |
| MAD | Memory Addressing (MAD) class – The pointer to an object is initialized, dereferenced, repositioned, or reassigned to an improper memory address. |
| MUS | Memory Use (MUS) class – An object is initialized, read, written, or cleared improperly. |
| Operation | Definition |
| Correct | Correct operation – Modify data (e.g., assign new value or remove) to make it accurate. |
| Reposition | Reposition operation – Change the pointer to another position inside its object. |
| Write | Write operation – Change the data value of an object in memory to another meaningful value. |
| Cause/Consequence | Definition |
| Code Bug | Code Bug type – An error in the implementation of an operation – proper operands over an improper operation. It is the roor cause of a security vulnerability. Must be fixed to resolve the vulnerability. |
| Missing Code | Missing Code bug - The operation is misplaced entirely absent. |
| Data Error/Fault | Data error (or fault) type – The data of an object has harmed semantics or inconsistent or wrong value. |
| Wrong Value | Wrong Value error (or fault) – The data value is not accurate (e.g., outside of a range). |
| Wrong Size | Wrong Size error (or fault) – The value used as size or length (i.e., the number of elements) does not match the object's memory size or length (e.g., to limit a pointer reposition or index increment/decrement in a repetition statement). |
| Overbound Pointer | |
| Injection Final Error | Injection final error/exploit vector type – An exploitable or undefined system behavior caused by validation or sanitization bugs. |
| Buffer Overflow | |
| Operation Attribute | Definition |
| Mechanism | Mechanism operation attribute type – Shows how the operation with a bug or faulty operand is performed. |
| Quantity | Quantity operation attribute – The operation checks data for a specific measurable value (e.g., size, time, rate, frequency). |
| Direct | Direct operation attribute – The operation is on a particular object element. |
| Sequential | Sequential operation attribute – The operation is via iterating over the object elements. |
| Source Code | Source Code operation attribute type – Shows where the code of the operation with a bug or faulty operand resides within the software, firmware, or hardware. |
| Codebase | Codebase operation attribute – The operation is in the programmer's code - in the application itself. |
| Execution Space | Execution Space operation attribute type – Shows where the operation with a bug or faulty operand is executed and the privilege level at which it runs. |
| Bare-Metal | Bare-Metal operation attribute – The bugged code runs in an environment without privilege control. Usually, the program is the only code running and has total access to the hardware. |
| Operand Attribute | Definition |
| Data State | Data State operand attribute type – Shows where the data comes from. |
| In Use | In Use operand attribute – Data are from a volatile storage (e.g., RAM, cache memory). |
| Address State | Address State operand attribute type – Shows where the address is (i.e., its location) in the memory layout. |
| Heap | The object is a dynamically allocated data structure (e.g., via malloc() or new). |
| Size Kind | Size Kind operand attribute type – Shows what is used as the size or length (i.e., the number of elements) of an object - e.g., as the limit for traversal over the elements. |
| Used | Used operand attribute – A supplied value to be used as the size or length (i.e., the number of elements) of an object. |
| BFFailure | Definition |
| ACE | Arbitrary Code Execution (ACE) – Execution of unauthorized commands or code execution that could lead to everything being lost; remote code execution (RCE) is a sub-case of ACE on a target system or device from a remote location, typically over a network. |
| DOS | Denial of Service (DOS) – Disruption of access to or use of information or information systems that leads to availability loss. |