Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 373997 (CVE-2011-2512) - <app-emulation/qemu-kvm-1.0-r3 : Denial of Service vulnerability (CVE-2011-2512)
Summary: <app-emulation/qemu-kvm-1.0-r3 : Denial of Service vulnerability (CVE-2011-2512)
Status: RESOLVED FIXED
Alias: CVE-2011-2512
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://patchwork.ozlabs.org/patch/94604/
Whiteboard: B3 [glsa]
Keywords:
Depends on: 407345 407357 408977
Blocks: CVE-2012-0029
  Show dependency tree
 
Reported: 2011-07-04 05:56 UTC by Tim Sammut (RETIRED)
Modified: 2012-10-18 20:59 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2011-07-04 05:56:44 UTC 
One mention of this bug says it can be used to crash a guest by an unprivileged user, or possibly elevate privileges on the host.

From the upstream bug at $URL:

The virtio_queue_notify() function checks that the virtqueue number is
less than the maximum number of virtqueues.  A signed comparison is used
but the virtqueue number could be negative if a buggy or malicious guest
is run.  This results in memory accesses outside of the virtqueue array.

It is risky doing input validation in common code instead of at the
guest<->host boundary.  Note that virtio_queue_set_addr(),
virtio_queue_get_addr(), virtio_queue_get_num(), and many other virtio
functions do *not* validate the virtqueue number argument.

Instead of fixing the comparison in virtio_queue_notify(), move the
comparison to the virtio bindings (just like VIRTIO_PCI_QUEUE_SEL) where
we have a uint32_t value and can avoid ever calling into common virtio
code if the virtqueue number is invalid.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2012-01-31 10:15:09 UTC 
This patch is included in qemu-kvm-1.0.
Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2012-02-27 21:39:13 UTC 
Added to pending GLSA request.
Comment 3 Doug Goldstein (RETIRED) gentoo-dev 2012-03-07 22:56:39 UTC 
stabilization target: app-emulation/qemu-kvm-1.0-r3

target keywords: amd64 x86
Comment 4 Michael Harrison 2012-03-13 23:12:45 UTC 
USE="spice" yields the following:
The following keyword changes are necessary to proceed:
#required by app-emulation/spice-0.10.1[smartcard], required by app-emulation/qemu-kvm-1.0-r3[spice], required by =app-emulation/qemu-kvm-1.0-r3 (argument)

=app-emulation/libcacard-0.1.2 ~amd64

#required by app-emulation/libcacard-0.1.2, required by app-emulation/spice-0.10.1[smartcard], required by app-emulation/qemu-kvm-1.0-r3[spice], required by =app-emulation/qemu-kvm-1.0-r3 (argument)

=sys-apps/pcsc-lite-1.8.2 ~amd64

still going
Comment 5 Michael Harrison 2012-03-13 23:46:50 UTC 
amd64 ok
Comment 6 Doug Goldstein (RETIRED) gentoo-dev 2012-03-14 05:14:13 UTC 
(In reply to comment #4)
> USE="spice" yields the following:
> The following keyword changes are necessary to proceed:
> #required by app-emulation/spice-0.10.1[smartcard], required by
> app-emulation/qemu-kvm-1.0-r3[spice], required by
> =app-emulation/qemu-kvm-1.0-r3 (argument)
> 
> =app-emulation/libcacard-0.1.2 ~amd64
> 
> #required by app-emulation/libcacard-0.1.2, required by
> app-emulation/spice-0.10.1[smartcard], required by
> app-emulation/qemu-kvm-1.0-r3[spice], required by
> =app-emulation/qemu-kvm-1.0-r3 (argument)
> 
> =sys-apps/pcsc-lite-1.8.2 ~amd64
> 
> still going

If you follow the depend chain, I requested app-emulation/spice-0.10.0 to be stable in bug #407357. It does not have any depends on smart card bits or libs.
Comment 7 Doug Goldstein (RETIRED) gentoo-dev 2012-03-14 05:22:44 UTC 
I apologize. It appears it was updated to say 0.10.1 but we only need 0.10.0.
Comment 8 Agostino Sarubbo gentoo-dev 2012-03-15 12:29:03 UTC 
amd64 stable
Comment 9 Michael Weber (RETIRED) gentoo-dev 2012-03-20 09:56:17 UTC 
Sorry for the bugspam, but qemu-kvm-1.0* does not work out of the box (with libvirt). bug 408977
Comment 10 Agostino Sarubbo gentoo-dev 2012-04-10 18:39:09 UTC 
@x86 

you probably will continue in bug 411501. Feel free to stabilize it in the meantime
Comment 11 Agostino Sarubbo gentoo-dev 2012-04-12 12:52:36 UTC 
(In reply to comment #10)
> @x86 
> 
> you probably will continue in bug 411501. Feel free to stabilize it in the
> meantime

My bad, that bug is invalid, please continue. Apologize for mailspam
Comment 12 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2012-05-09 14:40:57 UTC 
x86 stable
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2012-10-18 20:59:30 UTC 
This issue was resolved and addressed in
 GLSA 201210-04 at http://security.gentoo.org/glsa/glsa-201210-04.xml
by GLSA coordinator Stefan Behte (craig).