| Summary: | sys-kernel/*-sources & >=app-emulation/qemu-1.3.0 : virtio: out-of-bounds config space access | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Kernel | Assignee: | Gentoo Kernel Security <security-kernel> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | cardoe, qemu+disabled, security-kernel |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bugzilla.redhat.com/show_bug.cgi?id=957155 | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
The issue only exists with older kernels when there is no min_mmap_addr with a newer qemu (1.3.0 or newer). Not sure what maintainers really can do/should do. Really up to the security team. No current sys-kernel/gentoo-sources in tree are affected with any app-emulation/qemu in tree. @Cardoe: before I close this, could you please clarify which kernel versions would be affected? @kernel, can we confirm if any of the in tree security supported kernels are vulnerable? (In reply to Doug Goldstein from comment #1) > No current sys-kernel/gentoo-sources in tree are affected with any > app-emulation/qemu in tree. I suggest we resolve this issue now? qemu is currently at version 2.7.0. (In reply to Chris Reffett from comment #2) > @Cardoe: before I close this, could you please clarify which kernel versions > would be affected? Since kernel v2.6.23-rc1, mmap protection was available in kernels containing commit ed0321895182ffb6ecf210e066d87911b270d587. However, this protection was disabled per default. This became at least configurable with >=2.6.25-rc1 due to commit a5ecbcb8c13ea8a822d243bf782d0dc9525b4f84. Looks like until 2.6.31-rc7, the protection was still disabled per default. So vanilla kernels shipping commit 788084aba2ab7348257597496befcbccabdc98a3 were the first kernels with mmap_min_addr != 0 per default. Debian set a value >0 with their 2.6.26-21 kernel package for the first time. I haven't checked if Gentoo ever patched any available kernel sources before upstream activated protection per default but there are indications (https://forums.gentoo.org/viewtopic-p-5891369.html) that at least gentoo-sources-2.6.30-r4 has set a value of 4096. So a safe answer to Chris' question is <*-sources-2.6.31 in the assumption that we didn't mess with this option. Closing because repository is clean. All done. |
From ${URL} : A flaw was found in the way qemu validates addresses when guest accesses the config space of a virtio device. If the virtio device has zero/small sized config space, such as virtio-rng, a privileged guest user could use this flaw to access the matching host's qemu address space and thus increase their privileges on the host. Acknowledgements: This issue was found by Jason Wang of Red Hat. References: https://lists.gnu.org/archive/html/qemu-devel/2013-04/msg05013.html Proposed upstream patch: https://lists.gnu.org/archive/html/qemu-devel/2013-04/msg05254.html @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not