Bug 1114529 (CVE-2018-16847)

Summary: VUL-0: CVE-2018-16847: qemu: nvme: Out-of-bounds r/w buffer access in cmb operations
Product: [Novell Products] SUSE Security Incidents Reporter: Robert Frohl <rfrohl>
Component: IncidentsAssignee: Bruce Rogers <brogers>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: brogers, meissner, rfrohl, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/218536/
Whiteboard: CVSSv3:RedHat:CVE-2018-16847:7.0:(AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H) CVSSv3:SUSE:CVE-2018-16847:7.0:(AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Robert Frohl 2018-11-02 16:22:01 UTC
rh#1644052

An OOB heap buffer r/w access issue was found in the NVM Express Controller emulation in QEMU.  It could occur in nvme_cmb_ops routines in nvme devices. A guest user/process could use this flaw to crash the QEMU process resulting in DoS or potentially run arbitrary code with privileges of the QEMU process.

Upstream patch:
---------------
  -> https://lists.gnu.org/archive/html/qemu-devel/2018-11/msg00200.html

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1644052
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-16847
http://seclists.org/oss-sec/2018/q4/124
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16847
https://lists.gnu.org/archive/html/qemu-devel/2018-11/msg00200.html
Comment 1 Robert Frohl 2018-11-05 11:02:43 UTC
Hi,
my investigation suggests that the following codestreams are affected:
- SUSE:SLE-15:Update/qemu
- SUSE:SLE-12-SP4:Update/qemu

Older codestreams seem to be missing the affected code.
Comment 2 Bruce Rogers 2018-11-05 17:57:40 UTC
(In reply to Robert Frohl from comment #1)
> Hi,
> my investigation suggests that the following codestreams are affected:
> - SUSE:SLE-15:Update/qemu
> - SUSE:SLE-12-SP4:Update/qemu
> 
> Older codestreams seem to be missing the affected code.

Looks correct to me.
Comment 4 Bruce Rogers 2018-11-13 20:29:53 UTC
On the qemu-devel mailing list, the discussion seems to have concluded that there is actually no vulnerability here. I'll continue to watch for developments here, including whether the CVE gets withdrawn.
Comment 5 Bruce Rogers 2018-11-16 16:25:05 UTC
Another update. I guess there still does need to be a security related fix here, just not the first one proposed. Here is the currently proposed patch:

https://lists.gnu.org/archive/html/qemu-devel/2018-11/msg03181.html

For our backporting purposes the testsuite addition is not very relevant, so it ends up being quite simple change.

Is it too late to resubmit the SLE12SP4 and SLE15 maintenance request with this one change?
Comment 6 Marcus Meissner 2018-11-20 16:13:38 UTC
no, please resubmit.
Comment 8 Bruce Rogers 2018-11-26 22:18:45 UTC
(In reply to Marcus Meissner from comment #6)
> no, please resubmit.

Resubmitted as follows:
For SLE-12-SP4: MR 178498
For SLE-15 qemu: MR 178500
Comment 10 Swamp Workflow Management 2018-11-27 17:14:51 UTC
SUSE-SU-2018:3927-1: An update that solves 7 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1106222,1107489,1110910,1111006,1111010,1111013,1112499,1114422,1114529
CVE References: CVE-2018-10839,CVE-2018-15746,CVE-2018-16847,CVE-2018-17958,CVE-2018-17962,CVE-2018-17963,CVE-2018-18849
Sources used:
SUSE Linux Enterprise Module for Server Applications 15 (src):    qemu-2.11.2-9.12.2
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    qemu-2.11.2-9.12.2, qemu-linux-user-2.11.2-9.12.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    qemu-2.11.2-9.12.2
Comment 12 Swamp Workflow Management 2018-12-07 11:24:45 UTC
openSUSE-SU-2018:4004-1: An update that solves 7 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1106222,1107489,1110910,1111006,1111010,1111013,1112499,1114422,1114529
CVE References: CVE-2018-10839,CVE-2018-15746,CVE-2018-16847,CVE-2018-17958,CVE-2018-17962,CVE-2018-17963,CVE-2018-18849
Sources used:
openSUSE Leap 15.0 (src):    qemu-2.11.2-lp150.7.12.1, qemu-linux-user-2.11.2-lp150.7.12.1, qemu-testsuite-2.11.2-lp150.7.12.1
Comment 13 Swamp Workflow Management 2018-12-12 14:10:00 UTC
SUSE-SU-2018:4086-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1108474,1114529
CVE References: CVE-2018-16847
Sources used:
SUSE Linux Enterprise Module for Server Applications 15 (src):    qemu-2.11.2-9.17.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    qemu-2.11.2-9.17.1, qemu-linux-user-2.11.2-9.17.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    qemu-2.11.2-9.17.1
Comment 14 Swamp Workflow Management 2018-12-15 11:09:39 UTC
openSUSE-SU-2018:4135-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1108474,1114529
CVE References: CVE-2018-16847
Sources used:
openSUSE Leap 15.0 (src):    qemu-2.11.2-lp150.7.15.1, qemu-linux-user-2.11.2-lp150.7.15.1, qemu-testsuite-2.11.2-lp150.7.15.1
Comment 15 Swamp Workflow Management 2018-12-19 14:13:53 UTC
SUSE-SU-2018:4185-1: An update that solves 7 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1106222,1108474,1110910,1111006,1111010,1111013,1114422,1114529
CVE References: CVE-2018-10839,CVE-2018-15746,CVE-2018-16847,CVE-2018-17958,CVE-2018-17962,CVE-2018-17963,CVE-2018-18849
Sources used:
SUSE Linux Enterprise Server 12-SP4 (src):    qemu-2.11.2-5.5.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    qemu-2.11.2-5.5.1
Comment 16 Bruce Rogers 2019-01-10 17:12:16 UTC
Fix is included in qemu v3.1.0, which is already in Factory, and to be used for SLE15-SP1, so all affected code streams are fixed. Marking so.