Bug 1218484 (CVE-2023-6693)

Summary: VUL-0: CVE-2023-6693: qemu: stack buffer overflow in virtio_net_flush_tx()
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Dario Faggioli <dfaggioli>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: andrea.mattiazzo, dfaggioli, gianluca.gabrielli
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/389838/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-6693:4.9:(AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-01-02 11:45:34 UTC 
A stack based buffer overflow was found in the virtio-net device of QEMU. The flaw occurs while copying data to mhdr, a local variable of type virtio_net_hdr_mrg_rxbuf, when flushing TX in the virtio_net_flush_tx function. If guest features VIRTIO_NET_F_HASH_REPORT, VIRTIO_F_VERSION_1 and VIRTIO_NET_F_MRG_RXBUF are enabled, `n->guest_hdr_len` is set to sizeof(struct virtio_net_hdr_v1_hash), which is bigger than sizeof(virtio_net_hdr_mrg_rxbuf). This vulnerability could potentially allow a malicious user to overwrite local variables adjacent to mhdr allocated on the stack. Specifically, the out_sg variable could be used to read some part of process memory and send it to the wire:

ret = qemu_sendv_packet_async(qemu_get_subqueue(n->nic, queue_index), out_sg, out_num, virtio_net_tx_complete);

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6693

Patch:
https://lists.nongnu.org/archive/html/qemu-devel/2024-01/msg00045.html
Comment 4 Andrea Mattiazzo 2024-01-30 09:48:28 UTC 
Upstream commit: https://github.com/qemu/qemu/commit/2220e8189fb94068dbad333228659fbac819abb0
Comment 5 Dario Faggioli 2024-02-19 16:17:18 UTC 
(In reply to Andrea Mattiazzo from comment #4)
> Upstream commit:
> https://github.com/qemu/qemu/commit/2220e8189fb94068dbad333228659fbac819abb0
>
Included in v8.2.1. Wiil backport to earlier versions.
Comment 6 OBSbugzilla Bot 2024-02-20 12:45:02 UTC 
This is an autogenerated message for OBS integration:
This bug (1218484) was mentioned in
https://build.opensuse.org/request/show/1147915 Factory / qemu
Comment 12 Maintenance Automation 2024-04-03 16:30:10 UTC 
SUSE-SU-2024:1103-1: An update that solves five vulnerabilities, contains two features and has one security fix can now be installed.

Category: security (important)
Bug References: 1205316, 1209554, 1218484, 1220062, 1220065, 1220134
CVE References: CVE-2023-1544, CVE-2023-6693, CVE-2024-24474, CVE-2024-26327, CVE-2024-26328
Jira References: PED-7366, PED-8113
Maintenance Incident: [SUSE:Maintenance:33006](https://smelt.suse.de/incident/33006/)
Sources used:
SUSE Package Hub 15 15-SP5 (src):
 qemu-7.1.0-150500.49.12.1
Server Applications Module 15-SP5 (src):
 qemu-7.1.0-150500.49.12.1
openSUSE Leap 15.5 (src):
 qemu-linux-user-7.1.0-150500.49.12.1, qemu-7.1.0-150500.49.12.1
SUSE Linux Enterprise Micro 5.5 (src):
 qemu-7.1.0-150500.49.12.1
Basesystem Module 15-SP5 (src):
 qemu-7.1.0-150500.49.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.