Bug 2180364 (CVE-2023-1544) - CVE-2023-1544 QEMU: pvrdma: out-of-bounds read in pvrdma_ring_next_elem_read()
Summary: CVE-2023-1544 QEMU: pvrdma: out-of-bounds read in pvrdma_ring_next_elem_read()
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2023-1544
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2180366
Blocks: 2180353
TreeView+ depends on / blocked
 
Reported: 2023-03-21 09:44 UTC by Mauro Matteo Cascella
Modified: 2024-02-13 16:35 UTC (History)
16 users (show)

Fixed In Version: qemu-kvm 8.2.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to allocate and initialize a huge number of page tables to be used as a ring of descriptors for CQ and async events, potentially leading to an out-of-bounds read and crash of QEMU.
Clone Of:
Environment:
Last Closed: 2023-03-21 14:01:28 UTC
Embargoed:

Attachments (Terms of Use)

Description Mauro Matteo Cascella 2023-03-21 09:44:54 UTC 
Guest driver allocates and initialize page tables to be used as a ring of descriptors for CQ and async events. Since the guest controls the number of pages passed to the device, this flaw could lead to an out-of-bounds read and potential crash of QEMU.

Upstream patch:
https://lists.nongnu.org/archive/html/qemu-devel/2023-03/msg00206.html
Comment 1 Mauro Matteo Cascella 2023-03-21 09:46:06 UTC 
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 2180366]
Comment 2 Product Security DevOps Team 2023-03-21 14:01:25 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-1544
Comment 3 Mauro Matteo Cascella 2024-02-13 15:08:39 UTC 
Upstream commit:
https://gitlab.com/qemu-project/qemu/-/commit/85fc35afa93c7320d1641d344d0c5dfbe341d087
Note You need to log in before you can comment on or make changes to this bug.