Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 678302 - <app-emulation/qemu-3.1.0-r1: Out-of-bounds read in hw/i2c/i2c-ddc.c allows for memory disclosure (CVE-2019-3812)
Summary: <app-emulation/qemu-3.1.0-r1: Out-of-bounds read in hw/i2c/i2c-ddc.c allows f...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://seclists.org/oss-sec/2019/q1/138
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on:
Blocks: CVE-2019-3812
  Show dependency tree
 
Reported: 2019-02-18 16:26 UTC by Fadi Abu Sneineh
Modified: 2019-03-10 03:40 UTC (History)
1 user (show)

See Also:
Package list:
app-emulation/qemu-3.1.0-r1
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Fadi Abu Sneineh 2019-02-18 16:26:57 UTC
QEMU through version 2.10 through to 3.1.0 is vulnerable to an
out-of-bounds read of up to 128 bytes in the hw/i2c/i2c-ddc.c in the
function i2c_ddc() function. A local attacker with permission to
execute i2c commands could exploit this to read stack memory of the
qemu process on the host.

This was fixed upstream in commit 5b267840515730dbf6753495d5b7bd8b04ad1c

Systems without a monitor connected are affected, as are virtual
monitor is presented to virtual guests.  Systems with no graphics
cards attached to the virtual host are not affected.

This seems to be an information leak of stack contents which can be
used to defeat some kernel level protections and simplify further
attacks.

Reference:

Red Hat Bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=1665792

Github patch on qemu:
https://github.com/qemu/qemu/commit/b05b267840515730dbf6753495d5b7bd8b04ad1c

Reproducible: Always
Comment 1 Thomas Deutschmann gentoo-dev Security 2019-02-18 21:35:03 UTC
Freeing alias to create a tracker bug.

UnCC'ing tamiko who is part of virtualization project.
Comment 2 Larry the Git Cow gentoo-dev 2019-02-19 00:19:26 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c5d70adc0520a858f4da5cd0d1161e91140f5347

commit c5d70adc0520a858f4da5cd0d1161e91140f5347
Author:     Matthias Maier <tamiko@gentoo.org>
AuthorDate: 2019-02-19 00:16:24 +0000
Commit:     Matthias Maier <tamiko@gentoo.org>
CommitDate: 2019-02-19 00:19:03 +0000

    app-emulation/qemu: fix vulnerability, bug #678302
    
    Take over commit
    
      From b05b267840515730dbf6753495d5b7bd8b04ad1c Mon Sep 17 00:00:00 2001
      From: Gerd Hoffmann <kraxel@redhat.com>
      Date: Tue, 8 Jan 2019 11:23:01 +0100
      Subject: [PATCH] i2c-ddc: fix oob read
    
    Bug: https://bugs.gentoo.org/678302
    Package-Manager: Portage-2.3.60, Repoman-2.3.12
    Signed-off-by: Matthias Maier <tamiko@gentoo.org>

 .../qemu/files/qemu-3.1.0-CVE-2019-3812.patch      |  33 +
 app-emulation/qemu/qemu-3.1.0-r1.ebuild            | 810 +++++++++++++++++++++
 2 files changed, 843 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1e67fc2d360f6924368ffdf10519f47bb35e16ab

commit 1e67fc2d360f6924368ffdf10519f47bb35e16ab
Author:     Matthias Maier <tamiko@gentoo.org>
AuthorDate: 2019-02-19 00:11:46 +0000
Commit:     Matthias Maier <tamiko@gentoo.org>
CommitDate: 2019-02-19 00:19:02 +0000

    app-emulation/qemu: drop vulnerable, bug #678302
    
    Bug: https://bugs.gentoo.org/672346
    Bug: https://bugs.gentoo.org/673108
    Bug: https://bugs.gentoo.org/678302
    Package-Manager: Portage-2.3.60, Repoman-2.3.12
    Signed-off-by: Matthias Maier <tamiko@gentoo.org>

 app-emulation/qemu/Manifest           |   2 -
 app-emulation/qemu/metadata.xml       |   2 -
 app-emulation/qemu/qemu-2.12.1.ebuild | 818 ----------------------------------
 3 files changed, 822 deletions(-)
Comment 3 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-02-19 11:57:08 UTC
amd64 x86 stable
Comment 4 Larry the Git Cow gentoo-dev 2019-02-19 18:33:55 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f1a446709c5018eaa8f0cd6a0238b43a1262c17b

commit f1a446709c5018eaa8f0cd6a0238b43a1262c17b
Author:     Matthias Maier <tamiko@gentoo.org>
AuthorDate: 2019-02-19 18:29:40 +0000
Commit:     Matthias Maier <tamiko@gentoo.org>
CommitDate: 2019-02-19 18:33:41 +0000

    app-emulation/qemu: drop vulnerable, bug #678302
    
    Bug: https://bugs.gentoo.org/678302
    Package-Manager: Portage-2.3.60, Repoman-2.3.12
    Signed-off-by: Matthias Maier <tamiko@gentoo.org>

 app-emulation/qemu/qemu-3.1.0.ebuild | 809 -----------------------------------
 1 file changed, 809 deletions(-)