Bug 1860283 (CVE-2020-16092) - CVE-2020-16092 QEMU: reachable assertion failure in net_tx_pkt_add_raw_fragment() in hw/net/net_tx_pkt.c
Summary: CVE-2020-16092 QEMU: reachable assertion failure in net_tx_pkt_add_raw_fragme...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-16092
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1860994 1861058 1861059 1861060 1860960 1860961 1860962 1860996 1861011 1861170 1882755
Blocks: 1853728
TreeView+ depends on / blocked
 
Reported: 2020-07-24 08:30 UTC by Mauro Matteo Cascella
Modified: 2021-03-18 13:04 UTC (History)
36 users (show)

Fixed In Version: qemu-kvm 5.1.0
Doc Type: If docs needed, set a value
Doc Text:
An assertion failure flaw was found in QEMU in the network packet processing component. This issue affects the "e1000e" and "vmxnet3" network devices. This flaw allows a malicious guest user or process to abort the QEMU process on the host, resulting in a denial of service.
Clone Of:
Environment:
Last Closed: 2020-11-18 05:28:37 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:5111 0 None None None 2020-11-16 09:10:11 UTC
Red Hat Product Errata RHSA-2021:0346 0 None None None 2021-02-02 12:06:11 UTC
Red Hat Product Errata RHSA-2021:0347 0 None None None 2021-02-02 12:06:54 UTC
Red Hat Product Errata RHSA-2021:0459 0 None None None 2021-02-09 13:51:39 UTC
Red Hat Product Errata RHSA-2021:0934 0 None None None 2021-03-18 13:04:58 UTC

Description Mauro Matteo Cascella 2020-07-24 08:30:45 UTC
An assertion failure issue was found in the net_tx_pkt_add_raw_fragment() function in hw/net/net_tx_pkt.c. This assertion comes from the code that processes network packets. This code is shared between e1000e, vmxnet3 and apparently a few more devices. A malicious guest user/process could abuse this flaw to abort the QEMU process on the host, resulting in a denial of service condition.

Comment 1 Mauro Matteo Cascella 2020-07-24 08:30:52 UTC
Acknowledgments:

Name: Ziming Zhang (Codesafe Team of Legendsec at Qi'anxin Group)

Comment 8 Mauro Matteo Cascella 2020-07-27 17:33:33 UTC
Created qemu tracking bugs for this issue:

Affects: epel-7 [bug 1861058]
Affects: fedora-all [bug 1861059]


Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1861060]

Comment 11 Mauro Matteo Cascella 2020-08-05 14:35:18 UTC
Upstream fix:
https://git.qemu.org/?p=qemu.git;a=commit;h=035e69b063835a5fd23cacabd63690a3d84532a8

Comment 13 errata-xmlrpc 2020-11-16 09:10:01 UTC
This issue has been addressed in the following products:

  Advanced Virtualization for RHEL 8.2.1

Via RHSA-2020:5111 https://access.redhat.com/errata/RHSA-2020:5111

Comment 14 Product Security DevOps Team 2020-11-18 05:28:37 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-16092

Comment 15 errata-xmlrpc 2021-02-02 12:06:04 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:0346 https://access.redhat.com/errata/RHSA-2021:0346

Comment 16 errata-xmlrpc 2021-02-02 12:06:44 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:0347 https://access.redhat.com/errata/RHSA-2021:0347

Comment 17 errata-xmlrpc 2021-02-09 13:51:37 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7
  Red Hat Virtualization Engine 4.3

Via RHSA-2021:0459 https://access.redhat.com/errata/RHSA-2021:0459

Comment 18 errata-xmlrpc 2021-03-18 13:04:51 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 13.0 (Queens)

Via RHSA-2021:0934 https://access.redhat.com/errata/RHSA-2021:0934


Note You need to log in before you can comment on or make changes to this bug.