CVE-2022-35414: softmmu/physmem.c in QEMU through 7.0.0 can perform an uninitialized read on the translate_fail path, leading to an io_readx or io_writex crash. Unreleased patch: https://github.com/qemu/qemu/commit/418ade7849ce7641c0f7333718caf5091a02fd4c The advisory at https://sick.codes/sick-2022-113 says "An attacker can crash and potentially execute arbitrary code as a QEMU guest."
(In reply to John Helmert III from comment #0) > CVE-2022-35414: > > softmmu/physmem.c in QEMU through 7.0.0 can perform an uninitialized read on > the translate_fail path, leading to an io_readx or io_writex crash. > > Unreleased patch: > https://github.com/qemu/qemu/commit/418ade7849ce7641c0f7333718caf5091a02fd4c > > The advisory at https://sick.codes/sick-2022-113 says "An attacker can crash > and potentially execute arbitrary code as a QEMU guest." Of course, it doesn't actually substantiate how this could result in code execution as a VM escape.
This is in all of the 7.1.0 rc's.
CVE-2020-14394 (https://bugzilla.redhat.com/show_bug.cgi?id=1908004): https://gitlab.com/qemu-project/qemu/-/issues/646 An infinite loop flaw was found in the USB xHCI controller emulation of QEMU while computing the length of the Transfer Request Block (TRB) Ring. This flaw allows a privileged guest user to hang the QEMU process on the host, resulting in a denial of service. After being reported to Redhat almost two years ago, this issue finally made its way upstream 10 months ago, and was patched yesterday. It's in 7.1.0_rc3.
CVE-2022-0216: A use-after-free vulnerability was found in the LSI53C895A SCSI Host Bus Adapter emulation of QEMU. The flaw occurs while processing repeated messages to cancel the current SCSI request via the lsi_do_msgout function. This flaw allows a malicious privileged user within the guest to crash the QEMU process on the host, resulting in a denial of service. Upstream issue: https://gitlab.com/qemu-project/qemu/-/issues/972 Patch (in 7.1.0 rc's): https://gitlab.com/qemu-project/qemu/-/commit/4367a20cc4
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7141cbe5b4dac76ab10d094f8a35b5b65efe343e commit 7141cbe5b4dac76ab10d094f8a35b5b65efe343e Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2022-12-08 01:21:06 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-12-08 01:21:33 +0000 app-emulation/qemu: drop 7.0.0-r3 Bug: https://bugs.gentoo.org/857657 Signed-off-by: John Helmert III <ajak@gentoo.org> app-emulation/qemu/Manifest | 2 - .../files/qemu-2.11.1-capstone_include_path.patch | 11 - app-emulation/qemu/files/qemu-6.1.0-strings.patch | 26 - ...qemu-7.0.0-also-build-virtfs-proxy-helper.patch | 32 - .../qemu/files/qemu-7.0.0-glibc-2.36.patch | 90 -- .../qemu/files/qemu-7.0.0-have-user-meson.patch | 36 - .../qemu-7.0.0-pci-overflow-fortify-source-3.patch | 94 -- .../qemu/files/qemu-7.0.0-virtio-scsi-fixes.patch | 182 ---- app-emulation/qemu/qemu-7.0.0-r3.ebuild | 949 --------------------- 9 files changed, 1422 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=1baff7cf9283037d49a3b562d771e3cf77039bfa commit 1baff7cf9283037d49a3b562d771e3cf77039bfa Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-08-09 09:49:28 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-08-09 09:49:35 +0000 [ GLSA 202408-18 ] QEMU: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/857657 Bug: https://bugs.gentoo.org/865121 Bug: https://bugs.gentoo.org/883693 Bug: https://bugs.gentoo.org/909542 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202408-18.xml | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+)