A heap-based buffer overflow in the vrendrenderertransferwriteiov function in vrendrenderer.c in virglrenderer through 0.8.0 allows guest OS users to cause a denial of service, or QEMU guest-to-host escape and code execution, via VIRGLCCMDRESOURCEINLINE_WRITE commands.
{ "vanir_signatures": [ { "deprecated": false, "signature_type": "Line", "source": "https://gitlab.freedesktop.org/virgl/virglrenderer@cbc8d8b75be360236cada63784046688aeb6d921", "signature_version": "v1", "target": { "file": "src/virgl_hw.h" }, "digest": { "threshold": 0.9, "line_hashes": [ "212982511386522358746273595671342497611", "176747774204209346806457768416224481165", "169961600532525220405558589553595170244" ] }, "id": "CVE-2019-18389-12f47810" }, { "deprecated": false, "signature_type": "Line", "source": "https://gitlab.freedesktop.org/virgl/virglrenderer@cbc8d8b75be360236cada63784046688aeb6d921", "signature_version": "v1", "target": { "file": "src/vrend_renderer.c" }, "digest": { "threshold": 0.9, "line_hashes": [ "150023804409513975484122868535164136886", "189283878556883249191112801145573941720", "2708861587290119798094756257004263193", "273175914684112087963643696582796120737", "323302747453226056343584605309866162966", "19447575492423849005765873006358988003", "181403213380005488052820626626725544696", "182022676534866431682732151249749610299", "263897265348195184485703119549565851941", "40029899954140331364357814857549437191", "65797140655162890820635426628676327462", "41198977083158660322491202228300537822", "7824466507393594217165901777151291835", "210342644148727675093932111662672900398", "87142903983319738237289855629501246278", "181290981331351594553469463719138539450", "260826916990242396476795429736978634242", "188947903820730673702306011043215310128", "271460832934047377462164318394240116979", "45733689806069258237816196943054068304", "322040750450432822753016762875383628083", "101946048269740007793673467700116581699", "160342889137666347841325691495378316651" ] }, "id": "CVE-2019-18389-203ebfe0" }, { "deprecated": false, "signature_type": "Function", "source": "https://gitlab.freedesktop.org/virgl/virglrenderer@cbc8d8b75be360236cada63784046688aeb6d921", "signature_version": "v1", "target": { "file": "src/vrend_renderer.c", "function": "vrend_renderer_transfer_iov" }, "digest": { "function_hash": "74716657909445027734381147258483684542", "length": 1233.0 }, "id": "CVE-2019-18389-d1eccb1c" }, { "deprecated": false, "signature_type": "Function", "source": "https://gitlab.freedesktop.org/virgl/virglrenderer@cbc8d8b75be360236cada63784046688aeb6d921", "signature_version": "v1", "target": { "file": "src/vrend_renderer.c", "function": "check_transfer_bounds" }, "digest": { "function_hash": "284910439952181846112313075504416121027", "length": 1249.0 }, "id": "CVE-2019-18389-e12fc0e5" } ] }