Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 835607 (CVE-2022-26353, CVE-2022-26354)

Summary: <app-emulation/qemu-7.0.0: multiple vulnerabilities
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: minor CC: ajak, sam, tamiko, virtualization, zlogene
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [glsa?]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-19 03:56:16 UTC
CVE-2022-26353 (https://lists.nongnu.org/archive/html/qemu-devel/2022-03/msg02438.html):

A flaw was found in the virtio-net device of QEMU. This flaw was inadvertently introduced with the fix for CVE-2021-3748, which forgot to unmap the cached virtqueue elements on error, leading to memory leakage and other unexpected results. Affected QEMU version: 6.2.0.

CVE-2022-26354 (https://gitlab.com/qemu-project/qemu/-/commit/8d1b247f3748ac4078524130c6d7ae42b6140aaf):

A flaw was found in the vhost-vsock device of QEMU. In case of error, an invalid element was not detached from the virtqueue before freeing its memory, leading to memory leakage and other unexpected results. Affected QEMU versions <= 6.2.0.

Fixed in 7.0.0-rc0.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-30 02:51:07 UTC
CVE-2022-1050 (https://lists.nongnu.org/archive/html/qemu-devel/2022-03/msg05197.html):

Guest driver might execute HW commands when shared buffers are not yet allocated, potentially leading to a use-after-free condition.

The referenced patch doesn't seem to be upstreamed.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-20 15:31:32 UTC
(In reply to John Helmert III from comment #0)
> CVE-2022-26353
> (https://lists.nongnu.org/archive/html/qemu-devel/2022-03/msg02438.html):
> 
> A flaw was found in the virtio-net device of QEMU. This flaw was
> inadvertently introduced with the fix for CVE-2021-3748, which forgot to
> unmap the cached virtqueue elements on error, leading to memory leakage and
> other unexpected results. Affected QEMU version: 6.2.0.

Also in 7.0.0.

> CVE-2022-26354
> (https://gitlab.com/qemu-project/qemu/-/commit/
> 8d1b247f3748ac4078524130c6d7ae42b6140aaf):
> 
> A flaw was found in the vhost-vsock device of QEMU. In case of error, an
> invalid element was not detached from the virtqueue before freeing its
> memory, leading to memory leakage and other unexpected results. Affected
> QEMU versions <= 6.2.0.
> 
> Fixed in 7.0.0-rc0.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-14 03:05:06 UTC
(In reply to John Helmert III from comment #1)
> CVE-2022-1050
> (https://lists.nongnu.org/archive/html/qemu-devel/2022-03/msg05197.html):
> 
> Guest driver might execute HW commands when shared buffers are not yet
> allocated, potentially leading to a use-after-free condition.
> 
> The referenced patch doesn't seem to be upstreamed.

Popping this one out of this bug so we can proceed with the other issues here.