Hello vendors, we have been informed by Nelson Elhage of a new security issue in qemu(-kvm). Details of the issue together with assigned CVE ID and patch proposed by Nelson are attached. According to my knowledge, this is specific to Linux and KVM. Upstream is affected. Nelson agreed with a CRD of 2011-07-04 (two weeks from now) so please consider this issue embargoed until this date passes. Thank you, -- Petr Matousek / Red Hat Security Response Team --uXxg6w1szOgo69o3 Content-Type: text/plain; name="virtqueue.txt" Content-Disposition: inline; filename="virtqueue.txt" Content-Transfer-Encoding: binary EMBARGOED CVE-2011-2212 qemu-kvm: virtqueue: too-large indirect descriptor buffer overflow It was found that virtio subsystem in qemu-kvm did not properly validate virtqueue in and out requests from the guest. A privileged guest user could use this flaw to cause buffer overflow, causing the guest to crash (denial of service) or, possibly, resulting in the privileged guest user escalating their privileges on the host. -- virtqueue_pop (and less importantly, virtqueue_avail_bytes) do not limit the size of an indirect descriptor entry, which allows a guest to specify an arbitrarily-long descriptor chain, which will overflow the fixed-size arrays in VirtQueueElement, leading to memory corruption. >From 8e16077bfcd2d06a98aec8348cc171402ed75b51 Mon Sep 17 00:00:00 2001 From: Nelson Elhage <nelhage@ksplice.com> Date: Thu, 19 May 2011 13:23:17 -0400 Subject: [PATCH] virtqueue: Sanity-check the length of indirect descriptors. We were previously allowing arbitrarily-long descriptors, which could lead to a buffer overflow in the qemu-kvm process. --- hw/virtio.c | 10 ++++++++++ 1 files changed, 10 insertions(+), 0 deletions(-) diff --git a/hw/virtio.c b/hw/virtio.c index 6e8814c..4935282 100644 --- a/hw/virtio.c +++ b/hw/virtio.c @@ -335,6 +335,11 @@ int virtqueue_avail_bytes(VirtQueue *vq, int in_bytes, int out_bytes) max = vring_desc_len(desc_pa, i) / sizeof(VRingDesc); num_bufs = i = 0; desc_pa = vring_desc_addr(desc_pa, i); + + if (max > VIRTQUEUE_MAX_SIZE) { + error_report("Too-large indirect descriptor"); + exit(1); + } } do { @@ -405,6 +410,11 @@ int virtqueue_pop(VirtQueue *vq, VirtQueueElement *elem) max = vring_desc_len(desc_pa, i) / sizeof(VRingDesc); desc_pa = vring_desc_addr(desc_pa, i); i = 0; + + if (max > VIRTQUEUE_MAX_SIZE) { + error_report("Too-large indirect descriptor"); + exit(1); + } } /* Collect all the descriptors */ -- 1.7.4.44.gf9e72 --uXxg6w1szOgo69o3--
Now public.
Please provide an updated ebuild!
Fixed in 0.14.1-r2.
Didn't mean to close it.
(In reply to comment #3) > Fixed in 0.14.1-r2. Great, thanks. Can we move forward with stabilization?
Stabilization of fixed code going on in bug 364889.
Removing dependency, 0.14.1-r2 is stable already.
Added to pending GLSA request.
CVE-2011-2512 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2512): The virtio_queue_notify in qemu-kvm 0.14.0 and earlier does not properly validate the virtqueue number, which allows guest users to cause a denial of service (guest crash) and possibly execute arbitrary code via a negative number in the Queue Notify field of the Virtio Header, which bypasses a signed comparison. CVE-2011-2212 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2212): Buffer overflow in the virtio subsystem in qemu-kvm 0.14.0 and earlier allows privileged guest users to cause a denial of service (guest crash) or gain privileges via a crafted indirect descriptor related to "virtqueue in and out requests."
This issue was resolved and addressed in GLSA 201210-04 at http://security.gentoo.org/glsa/glsa-201210-04.xml by GLSA coordinator Stefan Behte (craig).