Bug 1899722

Summary: QEMU: integer underflow in dp8393x_do_transmit_packets() in hw/net/dp8393x.c
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: ailan, berrange, cfergeau, dbecker, drjones, imammedo, itamar, jasowang, jen, jferlan, jforbes, jjoyce, jmaloy, jschluet, knoel, lhh, lkundrak, lpeer, marcandre.lureau, m.a.young, mburns, mkenneth, mrezanin, mst, ondrejj, pbonzini, philmd, ppandit, ribarry, rjones, robinlee.sysu, sclewis, slinaber, virt-maint, virt-maint, vkuznets, xen-maint
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-27 17:33:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1899857, 1899858    
Bug Blocks: 1898192    

Description Mauro Matteo Cascella 2020-11-19 20:30:46 UTC 
An integer overflow was found in the dp8393x NIC device emulation code of QEMU. It could occur while transmitting network packets in the dp8393x_do_transmit_packets() function in hw/net/dp8393x.c. The integer overflow could lead to a heap buffer overflow in a later function call of qemu_net_queue_append(). A malicious user in a linux/m68k guest (q800 machine) could exploit this flaw to carry out a denial of service attack by crashing the QEMU process on the host.
Comment 1 Philippe Mathieu-Daudé 2020-11-19 21:16:41 UTC 
As it is not clear for which product this BZ is for, FWIW on RHEL QEMU isn't built with the m68k target.
Comment 2 Mauro Matteo Cascella 2020-11-20 09:14:03 UTC 
Created qemu tracking bugs for this issue:

Affects: epel-7 [bug 1899858]
Affects: fedora-all [bug 1899857]
Comment 3 Mauro Matteo Cascella 2020-11-20 09:37:40 UTC 
Hi Philippe,

In reply to comment #1:
> As it is not clear for which product this BZ is for, FWIW on RHEL QEMU isn't
> built with the m68k target.

This is intended to be a generic flaw bug, i.e., not tied to a specific product. I just created tracking bugs for Fedora/EPEL, as they both include m68k (and hence dp8393x) AFAICS.

BTW, I'm not even sure this is eligible for CVE assignment as it may fall in the non-virtualization use case [1]. If so, I think we should consider this more of a regular hardening bug. What do you think?

[1] https://www.qemu.org/docs/master/system/security.html#non-virtualization-use-case
Comment 9 Mauro Matteo Cascella 2020-12-01 14:26:34 UTC 
In reply to comment #3:
> BTW, I'm not even sure this is eligible for CVE assignment as it may fall in
> the non-virtualization use case [1]. If so, I think we should consider this
> more of a regular hardening bug. What do you think?

No CVE assignment required for this bug, due to dp8393x device not being
used by any KVM platform.

Upstream patch:
https://github.com/qemu/qemu/commit/915976bd98a9286efe6f2e573cb4f1360603adf9
Comment 10 Mauro Matteo Cascella 2020-12-01 14:36:37 UTC 
External References:

https://lists.nongnu.org/archive/html/qemu-devel/2020-12/msg00105.html