Bug 2254580 (CVE-2023-6693)

Summary: CVE-2023-6693 QEMU: virtio-net: stack buffer overflow in virtio_net_flush_tx()
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ddepaula, jen, jferlan, jmaloy, knoel, mrezanin, mst, pbonzini, security-response-team, virt-maint, ymankad
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A stack based buffer overflow was found in the virtio-net device of QEMU. This issue occurs when flushing TX in the virtio_net_flush_tx function if guest features VIRTIO_NET_F_HASH_REPORT, VIRTIO_F_VERSION_1 and VIRTIO_NET_F_MRG_RXBUF are enabled. This could allow a malicious user to overwrite local variables allocated on the stack. Specifically, the `out_sg` variable could be used to read a part of process memory and send it to the wire, causing an information leak.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2256436    
Bug Blocks: 2254047    

Description Mauro Matteo Cascella 2023-12-14 16:55:45 UTC 
A stack based buffer overflow was found in the virtio-net device of QEMU. The flaw occurs while copying data to mhdr, a local variable of type virtio_net_hdr_mrg_rxbuf, when flushing TX in the virtio_net_flush_tx function. If guest features VIRTIO_NET_F_HASH_REPORT, VIRTIO_F_VERSION_1 and VIRTIO_NET_F_MRG_RXBUF are enabled, `n->guest_hdr_len` is set to sizeof(struct virtio_net_hdr_v1_hash), which is bigger than sizeof(virtio_net_hdr_mrg_rxbuf). This vulnerability could potentially allow a malicious user to overwrite local variables adjacent to mhdr allocated on the stack. Specifically, the out_sg variable could be used to read some part of process memory and send it to the wire:

ret = qemu_sendv_packet_async(qemu_get_subqueue(n->nic, queue_index), out_sg, out_num, virtio_net_tx_complete);
Comment 4 Mauro Matteo Cascella 2024-01-02 08:59:55 UTC 
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 2256436]
Comment 5 Mauro Matteo Cascella 2024-01-02 09:00:26 UTC 
Upstream patch & commit:
https://lists.nongnu.org/archive/html/qemu-devel/2024-01/msg00045.html
https://gitlab.com/qemu-project/qemu/-/commit/2220e8189fb94068dbad333228659fbac819abb0
Comment 8 errata-xmlrpc 2024-05-22 09:22:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:2962 https://access.redhat.com/errata/RHSA-2024:2962