CVE-2021-20203: An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU for versions up to v5.2.0. It may occur if a guest was to supply invalid values for rx/tx queue size or other NIC parameters. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario. Looks like no fix yet.
A few others triggerable by guests. CVE-2021-20255: infinite recursion in eepro100 i8255x device emulator Possible patch: https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html CVE-2021-20257: infinite loop in e1000 NIC emulator. Possible patch: https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg07428.html CVE-2021-3416: infinite loops in various NIC emulators. Possible patch: https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg07431.html
The proposed patches are quite nontrivial. We have to wait for upstream to assess the situation. One patch landed upstream so far: commit 3de46e6fc489c52c9431a8a832ad8170a7569bd8 Author: Jason Wang <jasowang@redhat.com> Date: Wed Feb 24 13:45:28 2021 +0800 e1000: fail early for evil descriptor
Package list is empty or all packages have requested keywords.
(In reply to John Helmert III from comment #0) > CVE-2021-20203: > > An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU > for versions up to v5.2.0. It may occur if a guest was to supply invalid > values for rx/tx queue size or other NIC parameters. A privileged guest user > may use this flaw to crash the QEMU process on the host resulting in DoS > scenario. > > Looks like no fix yet. Now being tracked at https://gitlab.com/qemu-project/qemu/-/issues/308. (In reply to John Helmert III from comment #1) > A few others triggerable by guests. > > CVE-2021-20255: infinite recursion in eepro100 i8255x device emulator > > Possible patch: > https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html Can't find where this was applied, nor an upstream issue. > CVE-2021-20257: infinite loop in e1000 NIC emulator. > Possible patch: > https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg07428.html In 6.0.0 onward. > CVE-2021-3416: infinite loops in various NIC emulators. > Possible patch: > https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg07431.html Series in 6.0.0 onward.
(In reply to John Helmert III from comment #9) > (In reply to John Helmert III from comment #0) > > CVE-2021-20203: > > > > An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU > > for versions up to v5.2.0. It may occur if a guest was to supply invalid > > values for rx/tx queue size or other NIC parameters. A privileged guest user > > may use this flaw to crash the QEMU process on the host resulting in DoS > > scenario. > > > > Looks like no fix yet. > > Now being tracked at https://gitlab.com/qemu-project/qemu/-/issues/308. Patch in 6.2.0: https://gitlab.com/qemu-project/qemu/-/commit/d05dcd94aee88728facafb993c7280547eb4d645 > (In reply to John Helmert III from comment #1) > > A few others triggerable by guests. > > > > CVE-2021-20255: infinite recursion in eepro100 i8255x device emulator > > > > Possible patch: > > https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html > > Can't find where this was applied, nor an upstream issue. > > > CVE-2021-20257: infinite loop in e1000 NIC emulator. > > Possible patch: > > https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg07428.html > > In 6.0.0 onward. > > > CVE-2021-3416: infinite loops in various NIC emulators. > > Possible patch: > > https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg07431.html > > Series in 6.0.0 onward.
