Bug 1213414 (CVE-2023-3301)

Summary: VUL-0: CVE-2023-3301: qemu: vhost-vdpa: do not cleanup the vdpa/vhost-net structures if peer nic is present
Product: [Novell Products] SUSE Security Incidents Reporter: Robert Frohl <rfrohl>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: dfaggioli
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/372775/
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Robert Frohl 2023-07-18 07:16:05 UTC 
When a peer nic is still attached to the vdpa backend, it is too early to free
up the vhost-net and vdpa structures. If these structures are freed here, then
QEMU crashes when the guest is being shut down. The following call chain
would result in an assertion failure since the pointer returned from
vhost_vdpa_get_vhost_net() would be NULL:

do_vm_stop() -> vm_state_notify() -> virtio_set_status() ->
virtio_net_vhost_status() -> get_vhost_net().

Therefore, we defer freeing up the structures until at guest shutdown
time when qemu_cleanup() calls net_cleanup() which then calls
qemu_del_net_client() which would eventually call vhost_vdpa_cleanup()
again to free up the structures. This time, the loop in net_cleanup()
ensures that vhost_vdpa_cleanup() will be called one last time when
all the peer nics are detached and freed.

All unit tests pass with this change.

References:

https://bugzilla.redhat.com/show_bug.cgi?id=2128929
https://lists.gnu.org/archive/html/qemu-devel/2023-06/msg05460.html
https://gitlab.com/qemu-project/qemu/-/commit/a0d7215e339b61c7d7a7b3fcf754954d80d93eb8
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3301
https://nvd.nist.gov/vuln/detail/CVE-2023-3301
Comment 3 Maintenance Automation 2023-08-01 08:45:05 UTC 
SUSE-SU-2023:3082-1: An update that solves four vulnerabilities and has two fixes can now be installed.

Category: security (important)
Bug References: 1179993, 1181740, 1207205, 1212968, 1213001, 1213414
CVE References: CVE-2023-0330, CVE-2023-2861, CVE-2023-3255, CVE-2023-3301
Sources used:
Server Applications Module 15-SP5 (src): qemu-7.1.0-150500.49.6.1
openSUSE Leap 15.5 (src): qemu-linux-user-7.1.0-150500.49.6.1, qemu-7.1.0-150500.49.6.1
Basesystem Module 15-SP5 (src): qemu-7.1.0-150500.49.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Dario Faggioli 2023-08-08 01:28:26 UTC 
With https://build.suse.de/request/show/304979 (hoping that it passes review :-D), this should be done. Handing it back
Comment 6 Maintenance Automation 2023-08-08 20:30:44 UTC 
SUSE-SU-2023:3234-1: An update that solves three vulnerabilities can now be installed.

Category: security (important)
Bug References: 1212968, 1213001, 1213414
CVE References: CVE-2023-2861, CVE-2023-3255, CVE-2023-3301
Sources used:
openSUSE Leap 15.4 (src): qemu-linux-user-6.2.0-150400.37.20.1, qemu-6.2.0-150400.37.20.1
openSUSE Leap Micro 5.3 (src): qemu-6.2.0-150400.37.20.1
openSUSE Leap Micro 5.4 (src): qemu-6.2.0-150400.37.20.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src): qemu-6.2.0-150400.37.20.1
SUSE Linux Enterprise Micro 5.3 (src): qemu-6.2.0-150400.37.20.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src): qemu-6.2.0-150400.37.20.1
SUSE Linux Enterprise Micro 5.4 (src): qemu-6.2.0-150400.37.20.1
Basesystem Module 15-SP4 (src): qemu-6.2.0-150400.37.20.1
Server Applications Module 15-SP4 (src): qemu-6.2.0-150400.37.20.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Maintenance Automation 2023-08-28 12:30:37 UTC 
SUSE-SU-2023:3444-1: An update that solves six vulnerabilities can now be installed.

Category: security (important)
Bug References: 1188609, 1190011, 1207205, 1212850, 1213414, 1213925
CVE References: CVE-2021-3638, CVE-2021-3750, CVE-2023-0330, CVE-2023-3180, CVE-2023-3301, CVE-2023-3354
Sources used:
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): qemu-5.2.0-150300.127.3
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): qemu-5.2.0-150300.127.3
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): qemu-5.2.0-150300.127.3
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): qemu-5.2.0-150300.127.3
SUSE Manager Proxy 4.2 (src): qemu-5.2.0-150300.127.3
SUSE Manager Retail Branch Server 4.2 (src): qemu-5.2.0-150300.127.3
SUSE Manager Server 4.2 (src): qemu-5.2.0-150300.127.3
SUSE Enterprise Storage 7.1 (src): qemu-5.2.0-150300.127.3
SUSE Linux Enterprise Micro 5.1 (src): qemu-5.2.0-150300.127.3
SUSE Linux Enterprise Micro 5.2 (src): qemu-5.2.0-150300.127.3
SUSE Linux Enterprise Micro for Rancher 5.2 (src): qemu-5.2.0-150300.127.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 OBSbugzilla Bot 2023-09-12 14:05:35 UTC 
This is an autogenerated message for OBS integration:
This bug (1213414) was mentioned in
https://build.opensuse.org/request/show/1110620 Factory / qemu
Comment 10 Maintenance Automation 2023-11-15 16:30:01 UTC 
SUSE-SU-2023:3082-2: An update that solves four vulnerabilities and has two security fixes can now be installed.

Category: security (important)
Bug References: 1179993, 1181740, 1207205, 1212968, 1213001, 1213414
CVE References: CVE-2023-0330, CVE-2023-2861, CVE-2023-3255, CVE-2023-3301
Sources used:
SUSE Linux Enterprise Micro 5.5 (src): qemu-7.1.0-150500.49.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Gabriele Sonnu 2024-06-10 12:50:16 UTC 
All done, closing.