CVE-2021-20203: An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU for versions up to v5.2.0. It may occur if a guest was to supply invalid values for rx/tx queue size or other NIC parameters. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario. Looks like no fix yet.
A few others triggerable by guests. CVE-2021-20255: infinite recursion in eepro100 i8255x device emulator Possible patch: https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html CVE-2021-20257: infinite loop in e1000 NIC emulator. Possible patch: https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg07428.html CVE-2021-3416: infinite loops in various NIC emulators. Possible patch: https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg07431.html
The proposed patches are quite nontrivial. We have to wait for upstream to assess the situation. One patch landed upstream so far: commit 3de46e6fc489c52c9431a8a832ad8170a7569bd8 Author: Jason Wang <jasowang@redhat.com> Date: Wed Feb 24 13:45:28 2021 +0800 e1000: fail early for evil descriptor
Package list is empty or all packages have requested keywords.
(In reply to John Helmert III from comment #0) > CVE-2021-20203: > > An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU > for versions up to v5.2.0. It may occur if a guest was to supply invalid > values for rx/tx queue size or other NIC parameters. A privileged guest user > may use this flaw to crash the QEMU process on the host resulting in DoS > scenario. > > Looks like no fix yet. Now being tracked at https://gitlab.com/qemu-project/qemu/-/issues/308. (In reply to John Helmert III from comment #1) > A few others triggerable by guests. > > CVE-2021-20255: infinite recursion in eepro100 i8255x device emulator > > Possible patch: > https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html Can't find where this was applied, nor an upstream issue. > CVE-2021-20257: infinite loop in e1000 NIC emulator. > Possible patch: > https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg07428.html In 6.0.0 onward. > CVE-2021-3416: infinite loops in various NIC emulators. > Possible patch: > https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg07431.html Series in 6.0.0 onward.
(In reply to John Helmert III from comment #9) > (In reply to John Helmert III from comment #0) > > CVE-2021-20203: > > > > An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU > > for versions up to v5.2.0. It may occur if a guest was to supply invalid > > values for rx/tx queue size or other NIC parameters. A privileged guest user > > may use this flaw to crash the QEMU process on the host resulting in DoS > > scenario. > > > > Looks like no fix yet. > > Now being tracked at https://gitlab.com/qemu-project/qemu/-/issues/308. Patch in 6.2.0: https://gitlab.com/qemu-project/qemu/-/commit/d05dcd94aee88728facafb993c7280547eb4d645 > (In reply to John Helmert III from comment #1) > > A few others triggerable by guests. > > > > CVE-2021-20255: infinite recursion in eepro100 i8255x device emulator > > > > Possible patch: > > https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html > > Can't find where this was applied, nor an upstream issue. > > > CVE-2021-20257: infinite loop in e1000 NIC emulator. > > Possible patch: > > https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg07428.html > > In 6.0.0 onward. > > > CVE-2021-3416: infinite loops in various NIC emulators. > > Possible patch: > > https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg07431.html > > Series in 6.0.0 onward.
(In reply to John Helmert III from comment #9) > (In reply to John Helmert III from comment #0) > > CVE-2021-20203: > > > > An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU > > for versions up to v5.2.0. It may occur if a guest was to supply invalid > > values for rx/tx queue size or other NIC parameters. A privileged guest user > > may use this flaw to crash the QEMU process on the host resulting in DoS > > scenario. > > > > Looks like no fix yet. > > Now being tracked at https://gitlab.com/qemu-project/qemu/-/issues/308. > > (In reply to John Helmert III from comment #1) > > A few others triggerable by guests. > > > > CVE-2021-20255: infinite recursion in eepro100 i8255x device emulator > > > > Possible patch: > > https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html > > Can't find where this was applied, nor an upstream issue. I'll just pop this CVE into a different bug so we can proceed with the rest of the CVEs here. > > CVE-2021-20257: infinite loop in e1000 NIC emulator. > > Possible patch: > > https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg07428.html > > In 6.0.0 onward. > > > CVE-2021-3416: infinite loops in various NIC emulators. > > Possible patch: > > https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg07431.html > > Series in 6.0.0 onward.
GLSA request filed
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=fd3b0a54cba850267bd5f7ed0ac9f66f91aa44ac commit fd3b0a54cba850267bd5f7ed0ac9f66f91aa44ac Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-08-14 16:09:07 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-08-14 16:09:43 +0000 [ GLSA 202208-27 ] QEMU: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/733448 Bug: https://bugs.gentoo.org/736605 Bug: https://bugs.gentoo.org/773220 Bug: https://bugs.gentoo.org/775713 Bug: https://bugs.gentoo.org/780816 Bug: https://bugs.gentoo.org/792624 Bug: https://bugs.gentoo.org/807055 Bug: https://bugs.gentoo.org/810544 Bug: https://bugs.gentoo.org/820743 Bug: https://bugs.gentoo.org/835607 Bug: https://bugs.gentoo.org/839762 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Sam James <sam@gentoo.org> glsa-202208-27.xml | 85 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 85 insertions(+)
GLSA done, all done.
