Bug 2215784 (CVE-2023-3301) - CVE-2023-3301 QEMU: net: triggerable assertion due to race condition in hot-unplug
Summary: CVE-2023-3301 QEMU: net: triggerable assertion due to race condition in hot-u...
Keywords:
Status: NEW
Alias: CVE-2023-3301
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2215786 2215787 2215788 2228125
Blocks: 2192993
TreeView+ depends on / blocked
 
Reported: 2023-06-18 17:02 UTC by Mauro Matteo Cascella
Modified: 2023-11-14 15:18 UTC (History)
19 users (show)

Fixed In Version: qemu 8.1.0-rc0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in QEMU. The async nature of hot-unplug enables a race scenario where the net device backend is cleared before the virtio-net pci frontend has been unplugged. A malicious guest could use this time window to trigger an assertion and cause a denial of service.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:6980 0 None None None 2023-11-14 15:18:21 UTC

Description Mauro Matteo Cascella 2023-06-18 17:02:39 UTC
The async nature of the hot-unplug enables an easy to reproduce race scenario where the net device backend is cleared before the virtio-net pci frontend has been unplugged (or the ACPI unplug has been acked by the guest?). The guest can use this time window to, at least, trigger an assertion.

Comment 3 Mauro Matteo Cascella 2023-08-01 13:09:41 UTC
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 2228125]

Comment 4 Mauro Matteo Cascella 2023-08-01 13:13:01 UTC
Upstream fix:
https://github.com/qemu/qemu/commit/a0d7215e339b61c7d7a7b3fcf754954d80d93eb8

Comment 6 errata-xmlrpc 2023-11-14 15:18:19 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:6980 https://access.redhat.com/errata/RHSA-2023:6980


Note You need to log in before you can comment on or make changes to this bug.