Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 905342 (CVE-2021-20255, CVE-2023-0330) - app-emulation/qemu: multiple vulnerabilities
Summary: app-emulation/qemu: multiple vulnerabilities
Status: CONFIRMED
Alias: CVE-2021-20255, CVE-2023-0330
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL:
Whiteboard: B2 [upstream]
Keywords:
Depends on:
Blocks:
 
Reported: 2023-04-29 23:01 UTC by John Helmert III
Modified: 2024-04-24 04:25 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-04-29 23:01:05 UTC
CVE-2023-0330 (https://lists.nongnu.org/archive/html/qemu-devel/2023-01/msg03411.html):

A vulnerability in the lsi53c895a device affects the latest version of qemu. A DMA-MMIO reentrancy problem may lead to memory corruption bugs like stack overflow or use-after-free.

Patch made it into git as 31c4b6fb0293e359f9ef8a61892667e76eea4c99,
says it also fixes CVE-2022-1050, in 8.0.0.

CVE-2023-1544 (https://lists.nongnu.org/archive/html/qemu-devel/2023-03/msg00206.html):

A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to allocate and initialize a huge number of page tables to be used as a ring of descriptors for CQ and async events, potentially leading to an out-of-bounds read and crash of QEMU.

Not in qemu upstream as far as I can tell.
Comment 1 Larry the Git Cow gentoo-dev 2023-05-05 18:11:22 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=be4c0fdfda7a00698701d61467154dba7009e38e

commit be4c0fdfda7a00698701d61467154dba7009e38e
Author:     Matthias Maier <tamiko@gentoo.org>
AuthorDate: 2023-05-05 16:19:24 +0000
Commit:     Matthias Maier <tamiko@gentoo.org>
CommitDate: 2023-05-05 18:11:17 +0000

    app-emulation/qemu: add 8.0.0
    
     - merge qemu-7.2.1 and qemu-9999 ebuilds
     - remove static keyword
     - update to --enable-trace-backends configuration option
    
    Bug: https://bugs.gentoo.org/905342
    Bug: https://bugs.gentoo.org/865121
    Signed-off-by: Matthias Maier <tamiko@gentoo.org>

 app-emulation/qemu/Manifest                        |   1 +
 .../qemu/files/qemu-8.0.0-disable-keymap.patch     |  18 +-
 app-emulation/qemu/files/qemu-8.0.0-make.patch     |   9 +-
 app-emulation/qemu/qemu-8.0.0.ebuild               | 962 +++++++++++++++++++++
 4 files changed, 978 insertions(+), 12 deletions(-)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-26 04:36:27 UTC
(In reply to John Helmert III from comment #0)
> CVE-2023-0330
> (https://lists.nongnu.org/archive/html/qemu-devel/2023-01/msg03411.html):
> 
> A vulnerability in the lsi53c895a device affects the latest version of qemu.
> A DMA-MMIO reentrancy problem may lead to memory corruption bugs like stack
> overflow or use-after-free.
> 
> Patch made it into git as 31c4b6fb0293e359f9ef8a61892667e76eea4c99,
> says it also fixes CVE-2022-1050, in 8.0.0.

Looks like I was confused here. That commit was for CVE-2023-1050, not CVE-2023-0330. The latter was fixed with a2e1753b8054344f32cf94f31c6399a58794a380, which isn't in any release.

> CVE-2023-1544
> (https://lists.nongnu.org/archive/html/qemu-devel/2023-03/msg00206.html):
> 
> A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA
> device. This flaw allows a crafted guest driver to allocate and initialize a
> huge number of page tables to be used as a ring of descriptors for CQ and
> async events, potentially leading to an out-of-bounds read and crash of QEMU.
> 
> Not in qemu upstream as far as I can tell.

*This* one was eventually merged as 31c4b6fb0293e359f9ef8a61892667e76eea4c99, which references CVE-2022-1050, and is in 8.0.0. Let's move this one to bug 865121 and we can track the currently-fixed bugs there.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-26 04:37:27 UTC
CVE-2021-20255 (https://bugzilla.redhat.com/show_bug.cgi?id=1930646):

A stack overflow via an infinite recursion vulnerability was found in the eepro100 i8255x device emulator of QEMU. This issue occurs while processing controller commands due to a DMA reentry issue. This flaw allows a guest user or process to consume CPU cycles or crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
Comment 4 Larry the Git Cow gentoo-dev 2023-06-03 06:07:24 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9bdd3ce95b8131c069bc4921d7cfdd75eea92f35

commit 9bdd3ce95b8131c069bc4921d7cfdd75eea92f35
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-06-03 06:06:41 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-06-03 06:06:56 +0000

    app-emulation/qemu: add 8.0.2
    
    Fixes CVE-2023-0330.
    
    Bug: https://bugs.gentoo.org/905342
    Signed-off-by: Sam James <sam@gentoo.org>

 app-emulation/qemu/Manifest          |   1 +
 app-emulation/qemu/qemu-8.0.2.ebuild | 963 +++++++++++++++++++++++++++++++++++
 2 files changed, 964 insertions(+)
Comment 5 Andreas K. Hüttel archtester gentoo-dev 2024-04-24 04:25:05 UTC
(In reply to John Helmert III from comment #3)
> CVE-2021-20255 (https://bugzilla.redhat.com/show_bug.cgi?id=1930646):
> 
> A stack overflow via an infinite recursion vulnerability was found in the
> eepro100 i8255x device emulator of QEMU. This issue occurs while processing
> controller commands due to a DMA reentry issue. This flaw allows a guest
> user or process to consume CPU cycles or crash the QEMU process on the host,
> resulting in a denial of service. The highest threat from this vulnerability
> is to system availability.

The solution suggested was never merged.

https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06123.html