Bug 2063197 (CVE-2022-26353) - CVE-2022-26353 QEMU: virtio-net: map leaking on error during receive
Summary: CVE-2022-26353 QEMU: virtio-net: map leaking on error during receive
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-26353
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2063199 2063206 2063207 2063208 2063209 2075635 2075637
Blocks: 2063204
TreeView+ depends on / blocked
 
Reported: 2022-03-11 14:03 UTC by Mauro Matteo Cascella
Modified: 2022-10-31 22:34 UTC (History)
26 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the virtio-net device of QEMU. This flaw was inadvertently introduced with the fix for CVE-2021-3748, which forgot to unmap the cached virtqueue elements on error, leading to memory leakage, use-after-free or other unexpected results. A malicious privileged guest could exploit this issue to crash QEMU or potentially execute arbitrary code within the context of the QEMU process on the host.
Clone Of:
Environment:
Last Closed: 2022-08-31 03:35:01 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:5002 0 None None None 2022-06-13 11:51:32 UTC
Red Hat Product Errata RHSA-2022:5263 0 None None None 2022-06-28 16:06:04 UTC
Red Hat Product Errata RHSA-2022:5821 0 None None None 2022-08-02 10:01:11 UTC

Description Mauro Matteo Cascella 2022-03-11 14:03:20 UTC 
Commit bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg")
tries to fix the use after free of the sg by caching the virtqueue
elements in an array and unmap them at once after receiving the
packets, But it forgot to unmap the cached elements on error which
will lead to leaking of mapping and other unexpected results.

Upstream patch:
https://lists.nongnu.org/archive/html/qemu-devel/2022-03/msg02438.html
Comment 1 Mauro Matteo Cascella 2022-03-11 14:09:29 UTC 
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 2063199]
Comment 4 Mauro Matteo Cascella 2022-03-16 10:17:38 UTC 
QEMU is not intended to be used directly on RHEL due to security concerns (see https://access.redhat.com/solutions/408653). It is highly recommended to interact with QEMU using libvirt, which provides several isolation mechanisms to realize guest isolation and the principle of least privilege. For example, the fundamental isolation mechanism is that QEMU processes on the host are run as unprivileged users. Also, the libvirtd daemon sets up additional sandbox around QEMU by leveraging SELinux and sVirt protection for QEMU guests, which further limits the potential damage in case of guest-to-host escape scenario. The impact of this flaw is limited (Moderate) under such circumstances.
Comment 5 errata-xmlrpc 2022-06-13 11:51:28 UTC 
This issue has been addressed in the following products:

  Advanced Virtualization for RHEL 8.4.0.EUS

Via RHSA-2022:5002 https://access.redhat.com/errata/RHSA-2022:5002
Comment 6 errata-xmlrpc 2022-06-28 16:06:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:5263 https://access.redhat.com/errata/RHSA-2022:5263
Comment 7 errata-xmlrpc 2022-08-02 10:01:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:5821 https://access.redhat.com/errata/RHSA-2022:5821
Comment 8 Product Security DevOps Team 2022-08-31 03:34:58 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-26353
Note You need to log in before you can comment on or make changes to this bug.