A stack based buffer overflow was found in the virtio-net device of QEMU. The flaw occurs while copying data to mhdr, a local variable of type virtio_net_hdr_mrg_rxbuf, when flushing TX in the virtio_net_flush_tx function. If guest features VIRTIO_NET_F_HASH_REPORT, VIRTIO_F_VERSION_1 and VIRTIO_NET_F_MRG_RXBUF are enabled, `n->guest_hdr_len` is set to sizeof(struct virtio_net_hdr_v1_hash), which is bigger than sizeof(virtio_net_hdr_mrg_rxbuf). This vulnerability could potentially allow a malicious user to overwrite local variables adjacent to mhdr allocated on the stack. Specifically, the out_sg variable could be used to read some part of process memory and send it to the wire: ret = qemu_sendv_packet_async(qemu_get_subqueue(n->nic, queue_index), out_sg, out_num, virtio_net_tx_complete);
Created qemu tracking bugs for this issue: Affects: fedora-all [bug 2256436]
Upstream patch & commit: https://lists.nongnu.org/archive/html/qemu-devel/2024-01/msg00045.html https://gitlab.com/qemu-project/qemu/-/commit/2220e8189fb94068dbad333228659fbac819abb0
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:2962 https://access.redhat.com/errata/RHSA-2024:2962