Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 865121 (CVE-2021-20255, CVE-2022-1050, CVE-2022-2962) - app-emulation/qemu: multiple vulnerabilities
Summary: app-emulation/qemu: multiple vulnerabilities
Status: CONFIRMED
Alias: CVE-2021-20255, CVE-2022-1050, CVE-2022-2962
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ?? [upstream]
Keywords:
Depends on:
Blocks:
 
Reported: 2022-08-14 03:07 UTC by John Helmert III
Modified: 2022-09-14 00:25 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-14 03:07:08 UTC
CVE-2021-20255 (https://bugzilla.redhat.com/show_bug.cgi?id=1930646):
https://www.openwall.com/lists/oss-security/2021/02/25/1
https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Feepro100_stackoverflow1
https://lists.debian.org/debian-lts-announce/2021/04/msg00009.html
https://security.netapp.com/advisory/ntap-20210507-0003/

A stack overflow via an infinite recursion vulnerability was found in the eepro100 i8255x device emulator of QEMU. This issue occurs while processing controller commands due to a DMA reentry issue. This flaw allows a guest user or process to consume CPU cycles or crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.

CVE-2022-1050 (https://bugzilla.redhat.com/show_bug.cgi?id=2069625):

A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to execute HW commands when shared buffers are not yet allocated, potentially leading to a use-after-free condition.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-14 00:25:12 UTC
CVE-2022-2962 (https://gitlab.com/qemu-project/qemu/-/issues/1171):
https://gitlab.com/qemu-project/qemu/-/commit/36a894aeb64a2e02871016da1c37d4a4ca109182

A DMA reentrancy issue was found in the Tulip device emulation in QEMU. When Tulip reads or writes to the rx/tx descriptor or copies the rx/tx frame, it doesn't check whether the destination address is its own MMIO address. This can cause the device to trigger MMIO handlers multiple times, possibly leading to a stack or heap overflow. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.