QEMU through version 2.10 through to 3.1.0 is vulnerable to an out-of-bounds read of up to 128 bytes in the hw/i2c/i2c-ddc.c in the function i2c_ddc() function. A local attacker with permission to execute i2c commands could exploit this to read stack memory of the qemu process on the host. This was fixed upstream in commit 5b267840515730dbf6753495d5b7bd8b04ad1c Systems without a monitor connected are affected, as are virtual monitor is presented to virtual guests. Systems with no graphics cards attached to the virtual host are not affected. This seems to be an information leak of stack contents which can be used to defeat some kernel level protections and simplify further attacks. Reference: Red Hat Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1665792 Github patch on qemu: https://github.com/qemu/qemu/commit/b05b267840515730dbf6753495d5b7bd8b04ad1c Reproducible: Always
Freeing alias to create a tracker bug. UnCC'ing tamiko who is part of virtualization project.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c5d70adc0520a858f4da5cd0d1161e91140f5347 commit c5d70adc0520a858f4da5cd0d1161e91140f5347 Author: Matthias Maier <tamiko@gentoo.org> AuthorDate: 2019-02-19 00:16:24 +0000 Commit: Matthias Maier <tamiko@gentoo.org> CommitDate: 2019-02-19 00:19:03 +0000 app-emulation/qemu: fix vulnerability, bug #678302 Take over commit From b05b267840515730dbf6753495d5b7bd8b04ad1c Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann <kraxel@redhat.com> Date: Tue, 8 Jan 2019 11:23:01 +0100 Subject: [PATCH] i2c-ddc: fix oob read Bug: https://bugs.gentoo.org/678302 Package-Manager: Portage-2.3.60, Repoman-2.3.12 Signed-off-by: Matthias Maier <tamiko@gentoo.org> .../qemu/files/qemu-3.1.0-CVE-2019-3812.patch | 33 + app-emulation/qemu/qemu-3.1.0-r1.ebuild | 810 +++++++++++++++++++++ 2 files changed, 843 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1e67fc2d360f6924368ffdf10519f47bb35e16ab commit 1e67fc2d360f6924368ffdf10519f47bb35e16ab Author: Matthias Maier <tamiko@gentoo.org> AuthorDate: 2019-02-19 00:11:46 +0000 Commit: Matthias Maier <tamiko@gentoo.org> CommitDate: 2019-02-19 00:19:02 +0000 app-emulation/qemu: drop vulnerable, bug #678302 Bug: https://bugs.gentoo.org/672346 Bug: https://bugs.gentoo.org/673108 Bug: https://bugs.gentoo.org/678302 Package-Manager: Portage-2.3.60, Repoman-2.3.12 Signed-off-by: Matthias Maier <tamiko@gentoo.org> app-emulation/qemu/Manifest | 2 - app-emulation/qemu/metadata.xml | 2 - app-emulation/qemu/qemu-2.12.1.ebuild | 818 ---------------------------------- 3 files changed, 822 deletions(-)
amd64 x86 stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f1a446709c5018eaa8f0cd6a0238b43a1262c17b commit f1a446709c5018eaa8f0cd6a0238b43a1262c17b Author: Matthias Maier <tamiko@gentoo.org> AuthorDate: 2019-02-19 18:29:40 +0000 Commit: Matthias Maier <tamiko@gentoo.org> CommitDate: 2019-02-19 18:33:41 +0000 app-emulation/qemu: drop vulnerable, bug #678302 Bug: https://bugs.gentoo.org/678302 Package-Manager: Portage-2.3.60, Repoman-2.3.12 Signed-off-by: Matthias Maier <tamiko@gentoo.org> app-emulation/qemu/qemu-3.1.0.ebuild | 809 ----------------------------------- 1 file changed, 809 deletions(-)
