Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-4172: hw/acpi/erst.c: Fix memory handling issues (defb7098) · Commits · QEMU / QEMU · GitLab

An integer overflow and buffer overflow issues were found in the ACPI Error Record Serialization Table (ERST) device of QEMU in the read_erst_record() and write_erst_record() functions. Both issues may allow the guest to overrun the host buffer allocated for the ERST memory device. A malicious guest could use these flaws to crash the QEMU process on the host.

CVE
#git#buffer_overflow#auth

Skip to content

Commit defb7098 authored Oct 24, 2022 by Christian A. Ehrhardt Committed by MST Nov 07, 2022

Browse files

  • Changes 1

@@ -635,7 +635,7 @@ static unsigned read_erst_record(ERSTDeviceState *s)

if (record_length < UEFI_CPER_RECORD_MIN_SIZE) {

rc = STATUS_FAILED;

}

if ((s->record_offset + record_length) > exchange_length) {

if (record_length > exchange_length - s->record_offset) {

rc = STATUS_FAILED;

}

/* If all is ok, copy the record to the exchange buffer */

@@ -684,7 +684,7 @@ static unsigned write_erst_record(ERSTDeviceState *s)

if (record_length < UEFI_CPER_RECORD_MIN_SIZE) {

return STATUS_FAILED;

}

if ((s->record_offset + record_length) > exchange_length) {

if (record_length > exchange_length - s->record_offset) {

return STATUS_FAILED;

}

@@ -716,7 +716,7 @@ static unsigned write_erst_record(ERSTDeviceState *s)

if (nvram) {

/* Write the record into the slot */

memcpy(nvram, exchange, record_length);

memset(nvram + record_length, exchange_length - record_length, 0xFF);

memset(nvram + record_length, 0xFF, exchange_length - record_length);

/* If a new record, increment the record_count */

if (!record_found) {

uint32_t record_count;

Related news

Gentoo Linux Security Advisory 202408-18

Gentoo Linux Security Advisory 202408-18 - Multiple vulnerabilities have been discovered in QEMU, the worst of which could lead to a denial of service. Versions greater than or equal to 8.0.0 are affected.

Ubuntu Security Notice USN-6167-1

Ubuntu Security Notice 6167-1 - It was discovered that QEMU did not properly manage the guest drivers when shared buffers are not allocated. A malicious guest driver could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 22.10. It was discovered that QEMU did not properly check the size of the structure pointed to by the guest physical address pqxl. A malicious guest attacker could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 22.10.

RHSA-2023:2162: Red Hat Security Advisory: qemu-kvm security, bug fix, and enhancement update

An update for qemu-kvm is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3165: An integer underflow issue was found in the QEMU VNC server while processing ClientCutText messages in the extended format. A malicious client could use this flaw to make QEMU unresponsive by sending a specially crafted payload message, resulting in a denial of service. * CVE-2022-4172: An integer overflow and buffer overflow issues were found in...

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907