Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 467846 (CVE-2013-2016) - sys-kernel/*-sources & >=app-emulation/qemu-1.3.0 : virtio: out-of-bounds config space access
Summary: sys-kernel/*-sources & >=app-emulation/qemu-1.3.0 : virtio: out-of-bounds con...
Status: RESOLVED FIXED
Alias: CVE-2013-2016
Product: Gentoo Security
Classification: Unclassified
Component: Kernel (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Kernel Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-04-29 09:38 UTC by Agostino Sarubbo
Modified: 2017-03-27 08:52 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-04-29 09:38:31 UTC 
From ${URL} :

A flaw was found in the way qemu validates addresses when guest accesses the config space of a 
virtio device. If the virtio device has zero/small sized config space, such as virtio-rng, a 
privileged guest user could use this flaw to access the matching host's qemu address space and thus 
increase their privileges on the host.

Acknowledgements:                                                               

This issue was found by Jason Wang of Red Hat.

References:
https://lists.gnu.org/archive/html/qemu-devel/2013-04/msg05013.html

Proposed upstream patch:
https://lists.gnu.org/archive/html/qemu-devel/2013-04/msg05254.html


@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not
Comment 1 Doug Goldstein (RETIRED) gentoo-dev 2013-05-07 16:33:37 UTC 
The issue only exists with older kernels when there is no min_mmap_addr with a newer qemu (1.3.0 or newer). Not sure what maintainers really can do/should do. Really up to the security team.

No current sys-kernel/gentoo-sources in tree are affected with any app-emulation/qemu in tree.
Comment 2 Chris Reffett (RETIRED) gentoo-dev Security 2013-08-30 00:39:31 UTC 
@Cardoe: before I close this, could you please clarify which kernel versions would be affected?
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2016-07-06 03:49:58 UTC 
@kernel, can we confirm if any of the in tree security supported kernels are vulnerable?
Comment 4 Matthias Maier gentoo-dev 2016-09-27 02:09:08 UTC 
(In reply to Doug Goldstein from comment #1)
> No current sys-kernel/gentoo-sources in tree are affected with any
> app-emulation/qemu in tree.

I suggest we resolve this issue now? qemu is currently at version 2.7.0.
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2017-03-27 08:52:00 UTC 
(In reply to Chris Reffett from comment #2)
> @Cardoe: before I close this, could you please clarify which kernel versions
> would be affected?

Since kernel v2.6.23-rc1, mmap protection was available in kernels containing commit ed0321895182ffb6ecf210e066d87911b270d587. However, this protection was disabled per default.

This became at least configurable with >=2.6.25-rc1 due to commit a5ecbcb8c13ea8a822d243bf782d0dc9525b4f84.

Looks like until 2.6.31-rc7, the protection was still disabled per default. So vanilla kernels shipping commit 788084aba2ab7348257597496befcbccabdc98a3 were the first kernels with mmap_min_addr != 0 per default.

Debian set a value >0 with their 2.6.26-21 kernel package for the first time. I haven't checked if Gentoo ever patched any available kernel sources before upstream activated protection per default but there are indications (https://forums.gentoo.org/viewtopic-p-5891369.html) that at least gentoo-sources-2.6.30-r4 has set a value of 4096.

So a safe answer to Chris' question is <*-sources-2.6.31 in the assumption that we didn't mess with this option.

Closing because repository is clean. All done.