Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 372411 (CVE-2011-2212)

Summary: <app-emulation/qemu-kvm-0.14.1-r2: multiple vulnerabilities (CVE-2011-{2212,2512})
Product: Gentoo Security Reporter: Stefan Behte (RETIRED) <craig>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: cardoe, jmbsvicetto, lu_zero, tommy
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://rhn.redhat.com/errata/RHSA-2011-0919.html
Whiteboard: B1 [glsa]
Package list:
Runtime testing required: ---

Description Stefan Behte (RETIRED) gentoo-dev Security 2011-06-20 23:11:27 UTC 
Hello vendors,

we have been informed by Nelson Elhage of a new security issue in
qemu(-kvm). Details of the issue together with assigned CVE ID
and patch proposed by Nelson are attached.

According to my knowledge, this is specific to Linux and KVM.
Upstream is affected.

Nelson agreed with a CRD of 2011-07-04 (two weeks from now) so
please consider this issue embargoed until this date passes.

Thank you,
-- 
Petr Matousek / Red Hat Security Response Team

--uXxg6w1szOgo69o3
Content-Type: text/plain; name="virtqueue.txt"
Content-Disposition: inline; filename="virtqueue.txt"
Content-Transfer-Encoding: binary

EMBARGOED CVE-2011-2212 qemu-kvm: virtqueue: too-large indirect descriptor buffer overflow

It was found that virtio subsystem in qemu-kvm did not properly validate
virtqueue in and out requests from the guest. A privileged guest user could use
this flaw to cause buffer overflow, causing the guest to crash (denial of
service) or, possibly, resulting in the privileged guest user escalating their
privileges on the host.

--

virtqueue_pop (and less importantly, virtqueue_avail_bytes) do not limit
the size of an indirect descriptor entry, which allows a guest to
specify an arbitrarily-long descriptor chain, which will overflow the
fixed-size arrays in VirtQueueElement, leading to memory corruption.

>From 8e16077bfcd2d06a98aec8348cc171402ed75b51 Mon Sep 17 00:00:00 2001
From: Nelson Elhage <nelhage@ksplice.com>
Date: Thu, 19 May 2011 13:23:17 -0400
Subject: [PATCH] virtqueue: Sanity-check the length of indirect descriptors.

We were previously allowing arbitrarily-long descriptors, which could lead to a
buffer overflow in the qemu-kvm process.
---
 hw/virtio.c |   10 ++++++++++
 1 files changed, 10 insertions(+), 0 deletions(-)

diff --git a/hw/virtio.c b/hw/virtio.c
index 6e8814c..4935282 100644
--- a/hw/virtio.c
+++ b/hw/virtio.c
@@ -335,6 +335,11 @@ int virtqueue_avail_bytes(VirtQueue *vq, int in_bytes, int out_bytes)
             max = vring_desc_len(desc_pa, i) / sizeof(VRingDesc);
             num_bufs = i = 0;
             desc_pa = vring_desc_addr(desc_pa, i);
+
+            if (max > VIRTQUEUE_MAX_SIZE) {
+                error_report("Too-large indirect descriptor");
+                exit(1);
+            }
         }
 
         do {
@@ -405,6 +410,11 @@ int virtqueue_pop(VirtQueue *vq, VirtQueueElement *elem)
         max = vring_desc_len(desc_pa, i) / sizeof(VRingDesc);
         desc_pa = vring_desc_addr(desc_pa, i);
         i = 0;
+
+        if (max > VIRTQUEUE_MAX_SIZE) {
+            error_report("Too-large indirect descriptor");
+            exit(1);
+        }
     }
 
     /* Collect all the descriptors */
-- 
1.7.4.44.gf9e72


--uXxg6w1szOgo69o3--
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2011-07-07 14:56:03 UTC 
Now public.
Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2011-07-07 23:38:35 UTC 
Please provide an updated ebuild!
Comment 3 Doug Goldstein (RETIRED) gentoo-dev 2011-07-21 20:52:02 UTC 
Fixed in 0.14.1-r2.
Comment 4 Doug Goldstein (RETIRED) gentoo-dev 2011-07-21 20:52:24 UTC 
Didn't mean to close it.
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2011-08-17 21:19:19 UTC 
(In reply to comment #3)
> Fixed in 0.14.1-r2.

Great, thanks. Can we move forward with stabilization?
Comment 6 Tim Sammut (RETIRED) gentoo-dev 2011-10-18 03:16:03 UTC 
Stabilization of fixed code going on in bug 364889.
Comment 7 Stefan Behte (RETIRED) gentoo-dev Security 2012-01-30 12:05:32 UTC 
Removing dependency, 0.14.1-r2 is stable already.
Comment 8 Stefan Behte (RETIRED) gentoo-dev Security 2012-02-27 21:39:42 UTC 
Added to pending GLSA request.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2012-06-27 22:22:34 UTC 
CVE-2011-2512 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2512):
  The virtio_queue_notify in qemu-kvm 0.14.0 and earlier does not properly
  validate the virtqueue number, which allows guest users to cause a denial of
  service (guest crash) and possibly execute arbitrary code via a negative
  number in the Queue Notify field of the Virtio Header, which bypasses a
  signed comparison.

CVE-2011-2212 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2212):
  Buffer overflow in the virtio subsystem in qemu-kvm 0.14.0 and earlier
  allows privileged guest users to cause a denial of service (guest crash) or
  gain privileges via a crafted indirect descriptor related to "virtqueue in
  and out requests."
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2012-10-18 20:59:27 UTC 
This issue was resolved and addressed in
 GLSA 201210-04 at http://security.gentoo.org/glsa/glsa-201210-04.xml
by GLSA coordinator Stefan Behte (craig).