Headline
CVE-2022-26353: [PATCH] virtio-net: fix map leaking on error during receive
A flaw was found in the virtio-net device of QEMU. This flaw was inadvertently introduced with the fix for CVE-2021-3748, which forgot to unmap the cached virtqueue elements on error, leading to memory leakage and other unexpected results. Affected QEMU version: 6.2.0.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
From:
Jason Wang
Subject:
[PATCH] virtio-net: fix map leaking on error during receive
Date:
Tue, 8 Mar 2022 13:56:42 +0800
Commit bedd7e93d0196 (“virtio-net: fix use after unmap/free for sg”) tries to fix the use after free of the sg by caching the virtqueue elements in an array and unmap them at once after receiving the packets, But it forgot to unmap the cached elements on error which will lead to leaking of mapping and other unexpected results.
Fixing this by detaching the cached elements on error. This addresses CVE-2022-26353.
Reported-by: Victor Tom [email protected] Cc: [email protected] Fixes: bedd7e93d0196 (“virtio-net: fix use after unmap/free for sg”) Signed-off-by: Jason Wang [email protected]
hw/net/virtio-net.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c index cf8ab0f8af…65b61c836c 100644 — a/hw/net/virtio-net.c +++ b/hw/net/virtio-net.c @@ -1867,6 +1867,7 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
err: for (j = 0; j < i; j++) {
}virtqueue\_detach\_element(q->rx\_vq, elems\[j\], lens\[j\]); g\_free(elems\[j\]);
– 2.25.1
[PATCH] virtio-net: fix map leaking on error during receive, Jason Wang <=
- Re: [PATCH] virtio-net: fix map leaking on error during receive, Michael S. Tsirkin, 2022/03/08
- Re: [PATCH] virtio-net: fix map leaking on error during receive, Jason Wang, 2022/03/08
- Re: [PATCH] virtio-net: fix map leaking on error during receive, Michael S. Tsirkin, 2022/03/08
Prev by Date: Re: Question about atomics
Next by Date: Re: [PATCH v5 00/15] vDPA shadow virtqueue
Previous by thread: Question about atomics
Next by thread: Re: [PATCH] virtio-net: fix map leaking on error during receive
Index(es):
- Date
- Thread
Related news
Gentoo Linux Security Advisory 202208-27 - Multiple vulnerabilities have been discovered in QEMU, the worst of which could result in remote code execution (guest sandbox escape). Versions less than 7.0.0 are affected.
Red Hat Security Advisory 2022-5821-01 - Kernel-based Virtual Machine offers a full virtualization solution for Linux on numerous hardware platforms. The virt:rhel module contains packages which provide user-space components used to run virtual machines using KVM. The packages also provide APIs for managing and interacting with the virtualized systems. Issues addressed include buffer overflow, integer overflow, and memory leak vulnerabilities.
An update for the virt:rhel and virt-devel:rhel modules is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4206: QEMU: QXL: integer overflow in cursor_alloc() can lead to heap buffer overflow * CVE-2021-4207: QEMU: QXL: double fetch in qxl_cursor() can lead to heap buffer overflow * CVE-2022-26353: QEMU: virtio-net: map leaking on error during receive * CVE-2022-26354: QEMU: vhost-vsock: missing virtqueue detach on error can...
Red Hat Security Advisory 2022-5263-01 - Kernel-based Virtual Machine is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Issues addressed include a memory leak vulnerability.
An update for qemu-kvm is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-26353: QEMU: virtio-net: map leaking on error during receive * CVE-2022-26354: QEMU: vhost-vsock: missing virtqueue detach on error can lead to memory leak
Ubuntu Security Notice 5489-1 - Alexander Bulekov discovered that QEMU incorrectly handled floppy disk emulation. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly leak sensitive information. It was discovered that QEMU incorrectly handled NVME controller emulation. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 22.04 LTS.
Red Hat Security Advisory 2022-5002-01 - The Advanced Virtualization module provides the user-space component for running virtual machines that use KVM in environments managed by Red Hat products. Issues addressed include buffer overflow, integer overflow, and memory leak vulnerabilities.
An update for the virt:av and virt-devel:av modules is now available for Red Hat Enterprise Linux Advanced Virtualization 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4206: QEMU: QXL: integer overflow in cursor_alloc() can lead to heap buffer overflow * CVE-2021-4207: QEMU: QXL: double fetch in qxl_cursor() can lead to heap buffer overflow * CVE-2022-26353: QEMU: virtio-net: map leaking on error during receive * CVE-2022-26354: QEMU: vhos...