Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 857657 (CVE-2020-14394, CVE-2022-0216, CVE-2022-35414) - <app-emulation/qemu-7.1.0: multiple vulnerabilities
Summary: <app-emulation/qemu-7.1.0: multiple vulnerabilities
Status: CONFIRMED
Alias: CVE-2020-14394, CVE-2022-0216, CVE-2022-35414
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://gitlab.com/qemu-project/qemu/...
Whiteboard: B3 [glsa?]
Keywords:
Depends on: 883695
Blocks:
  Show dependency tree
 
Reported: 2022-07-11 17:21 UTC by John Helmert III
Modified: 2022-12-08 01:23 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-11 17:21:20 UTC
CVE-2022-35414:

softmmu/physmem.c in QEMU through 7.0.0 can perform an uninitialized read on the translate_fail path, leading to an io_readx or io_writex crash.

Unreleased patch: https://github.com/qemu/qemu/commit/418ade7849ce7641c0f7333718caf5091a02fd4c

The advisory at https://sick.codes/sick-2022-113 says "An attacker can crash and potentially execute arbitrary code as a QEMU guest."
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-11 17:21:43 UTC
(In reply to John Helmert III from comment #0)
> CVE-2022-35414:
> 
> softmmu/physmem.c in QEMU through 7.0.0 can perform an uninitialized read on
> the translate_fail path, leading to an io_readx or io_writex crash.
> 
> Unreleased patch:
> https://github.com/qemu/qemu/commit/418ade7849ce7641c0f7333718caf5091a02fd4c
> 
> The advisory at https://sick.codes/sick-2022-113 says "An attacker can crash
> and potentially execute arbitrary code as a QEMU guest."

Of course, it doesn't actually substantiate how this could result in code execution as a VM escape.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-14 01:57:47 UTC
This is in all of the 7.1.0 rc's.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-17 23:16:37 UTC
CVE-2020-14394 (https://bugzilla.redhat.com/show_bug.cgi?id=1908004):
https://gitlab.com/qemu-project/qemu/-/issues/646

An infinite loop flaw was found in the USB xHCI controller emulation of QEMU while computing the length of the Transfer Request Block (TRB) Ring. This flaw allows a privileged guest user to hang the QEMU process on the host, resulting in a denial of service.

After being reported to Redhat almost two years ago, this issue
finally made its way upstream 10 months ago, and was patched
yesterday. It's in 7.1.0_rc3.
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-27 03:10:08 UTC
CVE-2022-0216:

A use-after-free vulnerability was found in the LSI53C895A SCSI Host Bus Adapter emulation of QEMU. The flaw occurs while processing repeated messages to cancel the current SCSI request via the lsi_do_msgout function. This flaw allows a malicious privileged user within the guest to crash the QEMU process on the host, resulting in a denial of service.

Upstream issue: https://gitlab.com/qemu-project/qemu/-/issues/972
Patch (in 7.1.0 rc's): https://gitlab.com/qemu-project/qemu/-/commit/4367a20cc4
Comment 5 Larry the Git Cow gentoo-dev 2022-12-08 01:22:14 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7141cbe5b4dac76ab10d094f8a35b5b65efe343e

commit 7141cbe5b4dac76ab10d094f8a35b5b65efe343e
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2022-12-08 01:21:06 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-12-08 01:21:33 +0000

    app-emulation/qemu: drop 7.0.0-r3
    
    Bug: https://bugs.gentoo.org/857657
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 app-emulation/qemu/Manifest                        |   2 -
 .../files/qemu-2.11.1-capstone_include_path.patch  |  11 -
 app-emulation/qemu/files/qemu-6.1.0-strings.patch  |  26 -
 ...qemu-7.0.0-also-build-virtfs-proxy-helper.patch |  32 -
 .../qemu/files/qemu-7.0.0-glibc-2.36.patch         |  90 --
 .../qemu/files/qemu-7.0.0-have-user-meson.patch    |  36 -
 .../qemu-7.0.0-pci-overflow-fortify-source-3.patch |  94 --
 .../qemu/files/qemu-7.0.0-virtio-scsi-fixes.patch  | 182 ----
 app-emulation/qemu/qemu-7.0.0-r3.ebuild            | 949 ---------------------
 9 files changed, 1422 deletions(-)