It was found that the mem_reentrancy_guard flag did not sufficiently protect against DMA reentrancy issues in QEMU virtio devices (virtio-gpu, virtio-serial-bus, virtio-crypto), leading to a double free vulnerability. A malicious privileged guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition, or potentially execute arbitrary code within the context of the QEMU process on the host. Upstream patch: https://patchew.org/QEMU/20240409105537.18308-1-philmd@linaro.org/
Created qemu tracking bugs for this issue: Affects: fedora-all [bug 2274212]
While QEMU is an essential component in virtualization environments, it is not intended to be used directly on RHEL systems due to security concerns. In other words, using qemu-kvm commands is not currently supported by Red Hat (https://access.redhat.com/solutions/408653). It is highly recommended to interact with QEMU by using libvirt, which provides several isolation mechanisms to realize guest isolation and the principle of least privilege. The fundamental isolation mechanism is that QEMU processes on the host are run as unprivileged users. Also, the libvirtd daemon sets up additional sandbox around QEMU by leveraging SELinux and sVirt protection for QEMU guests, which further limits the potential damage in case of guest-to-host escape scenario. The impact of this flaw is therefore limited (Moderate) under such circumstances.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:6964 https://access.redhat.com/errata/RHSA-2024:6964
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:9136 https://access.redhat.com/errata/RHSA-2024:9136