Advisories ยป MGASA-2024-0387

Updated qemu packages fix security vulnerabilities

Publication date: 04 Dec 2024
Modification date: 04 Dec 2024
Type: security
Affected Mageia releases : 9
CVE: CVE-2023-1544 , CVE-2023-3019 , CVE-2023-3255 , CVE-2023-5088 , CVE-2023-6683 , CVE-2023-6693 , CVE-2023-42467 , CVE-2024-24474 , CVE-2024-26327 , CVE-2024-26328 , CVE-2024-3446 , CVE-2024-3447 , CVE-2024-4467 , CVE-2024-7409 , CVE-2024-8354 , CVE-2024-8612

Description

A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA
device. This flaw allows a crafted guest driver to allocate and
initialize a huge number of page tables to be used as a ring of
descriptors for CQ and async events, potentially leading to an
out-of-bounds read and crash of QEMU. (CVE-2023-1544)
A DMA reentrancy issue leading to a use-after-free error was found in
the e1000e NIC emulation code in QEMU. This issue could allow a
privileged guest user to crash the QEMU process on the host, resulting
in a denial of service. (CVE-2023-3019)
A flaw was found in the QEMU built-in VNC server while processing
ClientCutText messages. A wrong exit condition may lead to an infinite
loop when inflating an attacker controlled zlib buffer in the
`inflate_buffer` function. This could allow a remote authenticated
client who is able to send a clipboard to the VNC server to trigger a
denial of service. (CVE-2023-3255)
A bug in QEMU could cause a guest I/O operation otherwise addressed to
an arbitrary disk offset to be targeted to offset 0 instead (potentially
overwriting the VM's boot code). This could be used, for example, by L2
guests with a virtual disk (vdiskL2) stored on a virtual disk of an L1
(vdiskL1) hypervisor to read and/or write data to LBA 0 of vdiskL1,
potentially gaining control of L1 at its next reboot. (CVE-2023-5088)
A flaw was found in the QEMU built-in VNC server while processing
ClientCutText messages. The qemu_clipboard_request() function can be
reached before vnc_server_cut_text_caps() was called and had the chance
to initialize the clipboard peer, leading to a NULL pointer dereference.
This could allow a malicious authenticated VNC client to crash QEMU and
trigger a denial of service. (CVE-2023-6683)
A stack based buffer overflow was found in the virtio-net device of
QEMU. This issue occurs when flushing TX in the virtio_net_flush_tx
function if guest features VIRTIO_NET_F_HASH_REPORT, VIRTIO_F_VERSION_1
and VIRTIO_NET_F_MRG_RXBUF are enabled. This could allow a malicious
user to overwrite local variables allocated on the stack. Specifically,
the `out_sg` variable could be used to read a part of process memory and
send it to the wire, causing an information leak. (CVE-2023-6693)
QEMU through 8.0.0 could trigger a division by zero in scsi_disk_reset
in hw/scsi/scsi-disk.c because scsi_disk_emulate_mode_select does not
prevent s->qdev.blocksize from being 256. This stops QEMU and the guest
immediately. (CVE-2023-42467)
QEMU before 8.2.0 has an integer underflow, and resultant buffer
overflow, via a TI command when an expected non-DMA transfer length is
less than the length of the available FIFO data. This occurs in
esp_do_nodma in hw/scsi/esp.c because of an underflow of async_len.
(CVE-2024-24474)
An issue was discovered in QEMU 7.1.0 through 8.2.1. register_vfs in
hw/pci/pcie_sriov.c mishandles the situation where a guest writes NumVFs
greater than TotalVFs, leading to a buffer overflow in VF
implementations. (CVE-2024-26327)
An issue was discovered in QEMU 7.1.0 through 8.2.1. register_vfs in
hw/pci/pcie_sriov.c does not set NumVFs to PCI_SRIOV_TOTAL_VF, and thus
interaction with hw/nvme/ctrl.c is mishandled. (CVE-2024-26328)
A double free vulnerability was found in QEMU virtio devices
(virtio-gpu, virtio-serial-bus, virtio-crypto), where the
mem_reentrancy_guard flag insufficiently protects against DMA reentrancy
issues. This issue could allow a malicious privileged guest user to
crash the QEMU process on the host, resulting in a denial of service or
allow arbitrary code execution within the context of the QEMU process on
the host. (CVE-2024-3446)
A heap-based buffer overflow was found in the SDHCI device emulation of
QEMU. The bug is triggered when both `s->data_count` and the size of
`s->fifo_buffer` are set to 0x200, leading to an out-of-bound access. A
malicious guest could use this flaw to crash the QEMU process on the
host, resulting in a denial of service condition. (CVE-2024-3447)
A flaw was found in the QEMU disk image utility (qemu-img) 'info'
command. A specially crafted image file containing a `json:{}` value
describing block devices in QMP could cause the qemu-img process on the
host to consume large amounts of memory or CPU time, leading to denial
of service or read/write to an existing external file. (CVE-2024-4467)
A flaw was found in the QEMU NBD Server. This vulnerability allows a
denial of service (DoS) attack via improper synchronization during
socket closure when a client keeps a socket open as the server is taken
offline. (CVE-2024-7409)
A flaw was found in QEMU. An assertion failure was present in the
usb_ep_get() function in hw/net/core.c when trying to get the USB
endpoint from a USB device. This flaw may allow a malicious unprivileged
guest user to crash the QEMU process on the host and cause a denial of
service condition. (CVE-2024-8354)
A flaw was found in QEMU, in the virtio-scsi, virtio-blk, and
virtio-crypto devices. The size for virtqueue_push as set in
virtio_scsi_complete_req / virtio_blk_req_complete /
virito_crypto_req_complete could be larger than the true size of the
data which has been sent to guest. Once virtqueue_push() finally calls
dma_memory_unmap to ummap the in_iov, it may call the
address_space_write function to write back the data. Some uninitialized
data may exist in the bounce.buffer, leading to an information leak.
(CVE-2024-8612)

References

SRPMS

9/core