Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 865121 (CVE-2022-1050, CVE-2022-2962, CVE-2023-1544)

Summary: <app-emulation/qemu-8.0.0: multiple vulnerabilities
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: normal CC: ajak, sam, tamiko, virtualization, zlogene
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A3 [glsa? cleanup]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-14 03:07:08 UTC
CVE-2021-20255 (https://bugzilla.redhat.com/show_bug.cgi?id=1930646):
https://www.openwall.com/lists/oss-security/2021/02/25/1
https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Feepro100_stackoverflow1
https://lists.debian.org/debian-lts-announce/2021/04/msg00009.html
https://security.netapp.com/advisory/ntap-20210507-0003/

A stack overflow via an infinite recursion vulnerability was found in the eepro100 i8255x device emulator of QEMU. This issue occurs while processing controller commands due to a DMA reentry issue. This flaw allows a guest user or process to consume CPU cycles or crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.

CVE-2022-1050 (https://bugzilla.redhat.com/show_bug.cgi?id=2069625):

A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to execute HW commands when shared buffers are not yet allocated, potentially leading to a use-after-free condition.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-14 00:25:12 UTC
CVE-2022-2962 (https://gitlab.com/qemu-project/qemu/-/issues/1171):
https://gitlab.com/qemu-project/qemu/-/commit/36a894aeb64a2e02871016da1c37d4a4ca109182

A DMA reentrancy issue was found in the Tulip device emulation in QEMU. When Tulip reads or writes to the rx/tx descriptor or copies the rx/tx frame, it doesn't check whether the destination address is its own MMIO address. This can cause the device to trigger MMIO handlers multiple times, possibly leading to a stack or heap overflow. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.
Comment 2 Larry the Git Cow gentoo-dev 2023-05-05 18:11:21 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=be4c0fdfda7a00698701d61467154dba7009e38e

commit be4c0fdfda7a00698701d61467154dba7009e38e
Author:     Matthias Maier <tamiko@gentoo.org>
AuthorDate: 2023-05-05 16:19:24 +0000
Commit:     Matthias Maier <tamiko@gentoo.org>
CommitDate: 2023-05-05 18:11:17 +0000

    app-emulation/qemu: add 8.0.0
    
     - merge qemu-7.2.1 and qemu-9999 ebuilds
     - remove static keyword
     - update to --enable-trace-backends configuration option
    
    Bug: https://bugs.gentoo.org/905342
    Bug: https://bugs.gentoo.org/865121
    Signed-off-by: Matthias Maier <tamiko@gentoo.org>

 app-emulation/qemu/Manifest                        |   1 +
 .../qemu/files/qemu-8.0.0-disable-keymap.patch     |  18 +-
 app-emulation/qemu/files/qemu-8.0.0-make.patch     |   9 +-
 app-emulation/qemu/qemu-8.0.0.ebuild               | 962 +++++++++++++++++++++
 4 files changed, 978 insertions(+), 12 deletions(-)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-26 04:28:23 UTC
Looks like the patch for CVE-2022-1050 is in 8.0.0 and CVE-2023-2962 in 7.2.0. Let's remove CVE-2021-20255 and proceed with this bug otherwise.
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-26 04:37:14 UTC
CVE-2023-1544 (https://bugzilla.redhat.com/show_bug.cgi?id=2180364):

A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to allocate and initialize a huge number of page tables to be used as a ring of descriptors for CQ and async events, potentially leading to an out-of-bounds read and crash of QEMU.
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-10-30 03:00:50 UTC
(managed to typo the bug number)

commit 50ad24c08d86326adcff296e6beb26107e0ab028
Author: John Helmert III <ajak@gentoo.org>
Date:   Sun Oct 29 19:57:34 2023 -0700

    app-emulation/qemu: drop 7.2.0-r3, 7.2.3

    Bug: https://bugs.gentoo.org/909542
    Bug: https://bugs.gentoo.org/865112
    Signed-off-by: John Helmert III <ajak@gentoo.org>