Commit bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg") tries to fix the use after free of the sg by caching the virtqueue elements in an array and unmap them at once after receiving the packets, But it forgot to unmap the cached elements on error which will lead to leaking of mapping and other unexpected results. Upstream patch: https://lists.nongnu.org/archive/html/qemu-devel/2022-03/msg02438.html
Created qemu tracking bugs for this issue: Affects: fedora-all [bug 2063199]
QEMU is not intended to be used directly on RHEL due to security concerns (see https://access.redhat.com/solutions/408653). It is highly recommended to interact with QEMU using libvirt, which provides several isolation mechanisms to realize guest isolation and the principle of least privilege. For example, the fundamental isolation mechanism is that QEMU processes on the host are run as unprivileged users. Also, the libvirtd daemon sets up additional sandbox around QEMU by leveraging SELinux and sVirt protection for QEMU guests, which further limits the potential damage in case of guest-to-host escape scenario. The impact of this flaw is limited (Moderate) under such circumstances.
This issue has been addressed in the following products: Advanced Virtualization for RHEL 8.4.0.EUS Via RHSA-2022:5002 https://access.redhat.com/errata/RHSA-2022:5002
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:5263 https://access.redhat.com/errata/RHSA-2022:5263
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:5821 https://access.redhat.com/errata/RHSA-2022:5821
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-26353