Bug 2149105 (CVE-2022-4172)

Summary: CVE-2022-4172 QEMU: ACPI ERST: memory corruption issues in read_erst_record and write_erst_record
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ddepaula, eglynn, jen, jferlan, jjoyce, jmaloy, knoel, lhh, mburns, mgarciac, mkenneth, mrezanin, mst, pbonzini, spower, virt-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: qemu-kvm 7.2.0-rc0 Doc Type: If docs needed, set a value
Doc Text:
An integer overflow and buffer overflow issues were found in the ACPI Error Record Serialization Table (ERST) device of QEMU in the read_erst_record() and write_erst_record() functions. Both issues may allow the guest to overrun the host buffer allocated for the ERST memory device. A malicious guest could use these flaws to crash the QEMU process on the host. Arbitrary code execution was deemed unlikely.
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-09 17:45:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2149106, 2149108    
Bug Blocks: 2137191    

Description Mauro Matteo Cascella 2022-11-28 20:37:18 UTC
Memory corruption issues (integer overflow and buffer overflow) were found in the ACPI ERST device of QEMU in the read_erst_record() and write_erst_record() functions. For more information about ACPI ERST, see https://www.qemu.org/docs/master/specs/acpi_erst.html. Both issues may allow the guest to overrun the host buffer allocated for the ERST memory device. A malicious guest could use these flaws to crash the QEMU process on the host. Arbitrary code execution was deemed unlikely.

Upstream patch:
https://lore.kernel.org/qemu-devel/20221019191522.1004804-1-lk@c--e.de/ [v1]
https://lore.kernel.org/qemu-devel/20221024154233.1043347-1-lk@c--e.de/ [v2]

Upstream issue & commit:
https://gitlab.com/qemu-project/qemu/-/issues/1268
https://gitlab.com/qemu-project/qemu/-/commit/defb7098

Comment 1 Mauro Matteo Cascella 2022-11-28 20:37:48 UTC
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 2149106]

Comment 4 errata-xmlrpc 2023-05-09 07:13:09 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2162 https://access.redhat.com/errata/RHSA-2023:2162

Comment 5 Product Security DevOps Team 2023-05-09 17:45:09 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-4172