Bug 2063197 (CVE-2022-26353)
| Summary: | CVE-2022-26353 QEMU: virtio-net: map leaking on error during receive | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Mauro Matteo Cascella <mcascell> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | berrange, cfergeau, crobinso, dbecker, jen, jferlan, jjoyce, jmaloy, jschluet, knoel, lhh, lkundrak, lpeer, mburns, mkenneth, mrezanin, mst, ondrejj, pbonzini, philmd, ribarry, rjones, sclewis, slinaber, virt-maint, virt-maint |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A flaw was found in the virtio-net device of QEMU. This flaw was inadvertently introduced with the fix for CVE-2021-3748, which forgot to unmap the cached virtqueue elements on error, leading to memory leakage, use-after-free or other unexpected results. A malicious privileged guest could exploit this issue to crash QEMU or potentially execute arbitrary code within the context of the QEMU process on the host.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-08-31 03:35:01 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2063199, 2063206, 2063207, 2063208, 2063209, 2075635, 2075637 | ||
| Bug Blocks: | 2063204 | ||
Created qemu tracking bugs for this issue: Affects: fedora-all [bug 2063199] QEMU is not intended to be used directly on RHEL due to security concerns (see https://access.redhat.com/solutions/408653). It is highly recommended to interact with QEMU using libvirt, which provides several isolation mechanisms to realize guest isolation and the principle of least privilege. For example, the fundamental isolation mechanism is that QEMU processes on the host are run as unprivileged users. Also, the libvirtd daemon sets up additional sandbox around QEMU by leveraging SELinux and sVirt protection for QEMU guests, which further limits the potential damage in case of guest-to-host escape scenario. The impact of this flaw is limited (Moderate) under such circumstances. This issue has been addressed in the following products: Advanced Virtualization for RHEL 8.4.0.EUS Via RHSA-2022:5002 https://access.redhat.com/errata/RHSA-2022:5002 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:5263 https://access.redhat.com/errata/RHSA-2022:5263 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:5821 https://access.redhat.com/errata/RHSA-2022:5821 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-26353 |
Commit bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg") tries to fix the use after free of the sg by caching the virtqueue elements in an array and unmap them at once after receiving the packets, But it forgot to unmap the cached elements on error which will lead to leaking of mapping and other unexpected results. Upstream patch: https://lists.nongnu.org/archive/html/qemu-devel/2022-03/msg02438.html