Bug 1893895 (CVE-2020-25707) - CVE-2020-25707 QEMU: infinite loop in e1000e_write_packet_to_guest() in hw/net/e1000e_core.c
Summary: CVE-2020-25707 QEMU: infinite loop in e1000e_write_packet_to_guest() in hw/ne...
Keywords:
Status: CLOSED DUPLICATE of bug 1903064
Alias: CVE-2020-25707
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1895051 1895052 1895404 1895405 1895407 1895411 1903070 1903071 1910663
Blocks: 1892339
TreeView+ depends on / blocked
 
Reported: 2020-11-02 22:13 UTC by Mauro Matteo Cascella
Modified: 2022-04-17 21:03 UTC (History)
35 users (show)

Fixed In Version: qemu 5.2.0
Doc Type: If docs needed, set a value
Doc Text:
An infinite loop flaw was found in the e1000e NIC emulation code of QEMU. This issue occurs in the e1000e_write_packet_to_guest() routine while processing bogus RX descriptor data transmitted by the guest. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service.
Clone Of:
Environment:
Last Closed: 2020-12-14 14:11:32 UTC

Attachments (Terms of Use)

Description Mauro Matteo Cascella 2020-11-02 22:13:32 UTC 
An infinite loop issue was found in the e1000e NIC emulation code of QEMU. It could occur in the e1000e_write_packet_to_guest() routine while processing receive descriptor data if the address of the descriptor's data buffer was set to zero. A privileged guest user may exploit this issue to crash the QEMU process on the host, resulting in a denial of service.
Comment 1 Mauro Matteo Cascella 2020-11-05 16:22:02 UTC 
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1895051]
Comment 8 Salvatore Bonaccorso 2020-11-13 18:56:52 UTC 
Hi

It looks there is upstream this old commit:

https://git.qemu.org/?p=qemu.git;a=commit;h=4154c7e03fa55b4cf52509a83d50d6c09d743b77

But this would be fixed upstream since v2.9.0-rc0.

Is this CVE related to this fix?

Regards,
Salvatore
Comment 9 Salvatore Bonaccorso 2020-11-13 18:59:19 UTC 
(In reply to Salvatore Bonaccorso from comment #8)
> Hi
> 
> It looks there is upstream this old commit:
> 
> https://git.qemu.org/?p=qemu.git;a=commit;
> h=4154c7e03fa55b4cf52509a83d50d6c09d743b77
> 
> But this would be fixed upstream since v2.9.0-rc0.
> 
> Is this CVE related to this fix?

OTOH, this would be CVE-2017-9310 so I assume it is something different?

Regards,
Salvatore
Comment 10 Salvatore Bonaccorso 2020-11-13 19:02:24 UTC 
Okay I guess https://lists.nongnu.org/archive/html/qemu-devel/2020-11/msg03552.html might be the better answer here. Is this correct?
Comment 11 Mauro Matteo Cascella 2020-11-16 09:38:16 UTC 
Hi Salvatore,

In reply to comment #10:
> Okay I guess
> https://lists.nongnu.org/archive/html/qemu-devel/2020-11/msg03552.html might
> be the better answer here. Is this correct?

Correct, this is different from CVE-2017-9310 although somewhat related. I will add a reference to the patch here, once it gets accepted upstream.

Regards,
Mauro
Comment 12 Salvatore Bonaccorso 2020-11-17 07:29:18 UTC 
Hi Mauro

Thanks a lot for the confirmation!

Regards,
Salvatore
Comment 13 Mauro Matteo Cascella 2020-11-17 13:57:33 UTC 
Acknowledgments:

Name: Cheolwoo Myung, Gaoning Pan (Zhejiang University)
Comment 15 Mauro Matteo Cascella 2020-12-01 10:54:56 UTC 
Upstream fix:
https://lists.nongnu.org/archive/html/qemu-devel/2020-11/msg03185.html
Comment 16 Mauro Matteo Cascella 2020-12-14 13:46:55 UTC 
Statement:

This flaw was found to be a duplicate of CVE-2020-28916. Please see https://access.redhat.com/security/cve/CVE-2020-28916 for information about affected products and security errata.
Comment 17 Mauro Matteo Cascella 2020-12-14 14:11:32 UTC 

*** This bug has been marked as a duplicate of bug 1903064 ***
Comment 19 errata-xmlrpc 2021-05-18 14:51:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1762 https://access.redhat.com/errata/RHSA-2021:1762
Note You need to log in before you can comment on or make changes to this bug.