Bug 2063197 (CVE-2022-26353)

Summary: CVE-2022-26353 QEMU: virtio-net: map leaking on error during receive
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: berrange, cfergeau, crobinso, dbecker, jen, jferlan, jjoyce, jmaloy, jschluet, knoel, lhh, lkundrak, lpeer, mburns, mkenneth, mrezanin, mst, ondrejj, pbonzini, philmd, ribarry, rjones, sclewis, slinaber, virt-maint, virt-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the virtio-net device of QEMU. This flaw was inadvertently introduced with the fix for CVE-2021-3748, which forgot to unmap the cached virtqueue elements on error, leading to memory leakage, use-after-free or other unexpected results. A malicious privileged guest could exploit this issue to crash QEMU or potentially execute arbitrary code within the context of the QEMU process on the host.
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-08-31 03:35:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 2063199, 2063206, 2063207, 2063208, 2063209, 2075635, 2075637    
Bug Blocks: 2063204    

Description Mauro Matteo Cascella 2022-03-11 14:03:20 UTC
Commit bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg")
tries to fix the use after free of the sg by caching the virtqueue
elements in an array and unmap them at once after receiving the
packets, But it forgot to unmap the cached elements on error which
will lead to leaking of mapping and other unexpected results.

Upstream patch:

Comment 1 Mauro Matteo Cascella 2022-03-11 14:09:29 UTC
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 2063199]

Comment 4 Mauro Matteo Cascella 2022-03-16 10:17:38 UTC
QEMU is not intended to be used directly on RHEL due to security concerns (see https://access.redhat.com/solutions/408653). It is highly recommended to interact with QEMU using libvirt, which provides several isolation mechanisms to realize guest isolation and the principle of least privilege. For example, the fundamental isolation mechanism is that QEMU processes on the host are run as unprivileged users. Also, the libvirtd daemon sets up additional sandbox around QEMU by leveraging SELinux and sVirt protection for QEMU guests, which further limits the potential damage in case of guest-to-host escape scenario. The impact of this flaw is limited (Moderate) under such circumstances.

Comment 5 errata-xmlrpc 2022-06-13 11:51:28 UTC
This issue has been addressed in the following products:

  Advanced Virtualization for RHEL 8.4.0.EUS

Via RHSA-2022:5002 https://access.redhat.com/errata/RHSA-2022:5002

Comment 6 errata-xmlrpc 2022-06-28 16:06:00 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:5263 https://access.redhat.com/errata/RHSA-2022:5263

Comment 7 errata-xmlrpc 2022-08-02 10:01:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:5821 https://access.redhat.com/errata/RHSA-2022:5821

Comment 8 Product Security DevOps Team 2022-08-31 03:34:58 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):