Summary: | <app-emulation/qemu-6.2.0: privileged guest user can cause host DoS (CVE-2021-{3416,20203,20255,20257}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | ajak, sam, tamiko, virtualization, zlogene |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugs.launchpad.net/qemu/+bug/1913873 | ||
Whiteboard: | B3 [glsa+] | ||
Package list: | Runtime testing required: | --- |
Description
John Helmert III
2021-02-27 02:38:51 UTC
A few others triggerable by guests. CVE-2021-20255: infinite recursion in eepro100 i8255x device emulator Possible patch: https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html CVE-2021-20257: infinite loop in e1000 NIC emulator. Possible patch: https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg07428.html CVE-2021-3416: infinite loops in various NIC emulators. Possible patch: https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg07431.html The proposed patches are quite nontrivial. We have to wait for upstream to assess the situation. One patch landed upstream so far: commit 3de46e6fc489c52c9431a8a832ad8170a7569bd8 Author: Jason Wang <jasowang@redhat.com> Date: Wed Feb 24 13:45:28 2021 +0800 e1000: fail early for evil descriptor Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. (In reply to John Helmert III from comment #0) > CVE-2021-20203: > > An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU > for versions up to v5.2.0. It may occur if a guest was to supply invalid > values for rx/tx queue size or other NIC parameters. A privileged guest user > may use this flaw to crash the QEMU process on the host resulting in DoS > scenario. > > Looks like no fix yet. Now being tracked at https://gitlab.com/qemu-project/qemu/-/issues/308. (In reply to John Helmert III from comment #1) > A few others triggerable by guests. > > CVE-2021-20255: infinite recursion in eepro100 i8255x device emulator > > Possible patch: > https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html Can't find where this was applied, nor an upstream issue. > CVE-2021-20257: infinite loop in e1000 NIC emulator. > Possible patch: > https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg07428.html In 6.0.0 onward. > CVE-2021-3416: infinite loops in various NIC emulators. > Possible patch: > https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg07431.html Series in 6.0.0 onward. (In reply to John Helmert III from comment #9) > (In reply to John Helmert III from comment #0) > > CVE-2021-20203: > > > > An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU > > for versions up to v5.2.0. It may occur if a guest was to supply invalid > > values for rx/tx queue size or other NIC parameters. A privileged guest user > > may use this flaw to crash the QEMU process on the host resulting in DoS > > scenario. > > > > Looks like no fix yet. > > Now being tracked at https://gitlab.com/qemu-project/qemu/-/issues/308. Patch in 6.2.0: https://gitlab.com/qemu-project/qemu/-/commit/d05dcd94aee88728facafb993c7280547eb4d645 > (In reply to John Helmert III from comment #1) > > A few others triggerable by guests. > > > > CVE-2021-20255: infinite recursion in eepro100 i8255x device emulator > > > > Possible patch: > > https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html > > Can't find where this was applied, nor an upstream issue. > > > CVE-2021-20257: infinite loop in e1000 NIC emulator. > > Possible patch: > > https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg07428.html > > In 6.0.0 onward. > > > CVE-2021-3416: infinite loops in various NIC emulators. > > Possible patch: > > https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg07431.html > > Series in 6.0.0 onward. (In reply to John Helmert III from comment #9) > (In reply to John Helmert III from comment #0) > > CVE-2021-20203: > > > > An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU > > for versions up to v5.2.0. It may occur if a guest was to supply invalid > > values for rx/tx queue size or other NIC parameters. A privileged guest user > > may use this flaw to crash the QEMU process on the host resulting in DoS > > scenario. > > > > Looks like no fix yet. > > Now being tracked at https://gitlab.com/qemu-project/qemu/-/issues/308. > > (In reply to John Helmert III from comment #1) > > A few others triggerable by guests. > > > > CVE-2021-20255: infinite recursion in eepro100 i8255x device emulator > > > > Possible patch: > > https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html > > Can't find where this was applied, nor an upstream issue. I'll just pop this CVE into a different bug so we can proceed with the rest of the CVEs here. > > CVE-2021-20257: infinite loop in e1000 NIC emulator. > > Possible patch: > > https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg07428.html > > In 6.0.0 onward. > > > CVE-2021-3416: infinite loops in various NIC emulators. > > Possible patch: > > https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg07431.html > > Series in 6.0.0 onward. GLSA request filed The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=fd3b0a54cba850267bd5f7ed0ac9f66f91aa44ac commit fd3b0a54cba850267bd5f7ed0ac9f66f91aa44ac Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-08-14 16:09:07 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-08-14 16:09:43 +0000 [ GLSA 202208-27 ] QEMU: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/733448 Bug: https://bugs.gentoo.org/736605 Bug: https://bugs.gentoo.org/773220 Bug: https://bugs.gentoo.org/775713 Bug: https://bugs.gentoo.org/780816 Bug: https://bugs.gentoo.org/792624 Bug: https://bugs.gentoo.org/807055 Bug: https://bugs.gentoo.org/810544 Bug: https://bugs.gentoo.org/820743 Bug: https://bugs.gentoo.org/835607 Bug: https://bugs.gentoo.org/839762 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Sam James <sam@gentoo.org> glsa-202208-27.xml | 85 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 85 insertions(+) GLSA done, all done. |