softmmu/physmem.c in QEMU through 7.0.0 can perform an uninitialized read on the translate_fail path, leading to an io_readx or io_writex crash.
Unreleased patch: https://github.com/qemu/qemu/commit/418ade7849ce7641c0f7333718caf5091a02fd4c
The advisory at https://sick.codes/sick-2022-113 says "An attacker can crash and potentially execute arbitrary code as a QEMU guest."
(In reply to John Helmert III from comment #0)
> softmmu/physmem.c in QEMU through 7.0.0 can perform an uninitialized read on
> the translate_fail path, leading to an io_readx or io_writex crash.
> Unreleased patch:
> The advisory at https://sick.codes/sick-2022-113 says "An attacker can crash
> and potentially execute arbitrary code as a QEMU guest."
Of course, it doesn't actually substantiate how this could result in code execution as a VM escape.
This is in all of the 7.1.0 rc's.
An infinite loop flaw was found in the USB xHCI controller emulation of QEMU while computing the length of the Transfer Request Block (TRB) Ring. This flaw allows a privileged guest user to hang the QEMU process on the host, resulting in a denial of service.
After being reported to Redhat almost two years ago, this issue
finally made its way upstream 10 months ago, and was patched
yesterday. It's in 7.1.0_rc3.
A use-after-free vulnerability was found in the LSI53C895A SCSI Host Bus Adapter emulation of QEMU. The flaw occurs while processing repeated messages to cancel the current SCSI request via the lsi_do_msgout function. This flaw allows a malicious privileged user within the guest to crash the QEMU process on the host, resulting in a denial of service.
Upstream issue: https://gitlab.com/qemu-project/qemu/-/issues/972
Patch (in 7.1.0 rc's): https://gitlab.com/qemu-project/qemu/-/commit/4367a20cc4
The bug has been referenced in the following commit(s):
Author: John Helmert III <email@example.com>
AuthorDate: 2022-12-08 01:21:06 +0000
Commit: John Helmert III <firstname.lastname@example.org>
CommitDate: 2022-12-08 01:21:33 +0000
app-emulation/qemu: drop 7.0.0-r3
Signed-off-by: John Helmert III <email@example.com>
app-emulation/qemu/Manifest | 2 -
.../files/qemu-2.11.1-capstone_include_path.patch | 11 -
app-emulation/qemu/files/qemu-6.1.0-strings.patch | 26 -
...qemu-7.0.0-also-build-virtfs-proxy-helper.patch | 32 -
.../qemu/files/qemu-7.0.0-glibc-2.36.patch | 90 --
.../qemu/files/qemu-7.0.0-have-user-meson.patch | 36 -
.../qemu-7.0.0-pci-overflow-fortify-source-3.patch | 94 --
.../qemu/files/qemu-7.0.0-virtio-scsi-fixes.patch | 182 ----
app-emulation/qemu/qemu-7.0.0-r3.ebuild | 949 ---------------------
9 files changed, 1422 deletions(-)