Bug 1224132 (CVE-2024-4693)

Summary: VUL-0: CVE-2024-4693: qemu: virtio-pci: improper release of configure vector leads to guest triggerable crash
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: E-mail List <kvm-bugs>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: camila.matos, dfaggioli, li.zhang
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/404896/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-4693:5.5:(AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-05-10 16:46:28 UTC 
A flaw was found in QEMU in the Virtio PCI Bindings (hw/virtio/virtio-pci.c). An improper release and use of the irqfd for vector 0 during the boot process leads to a guest triggerable crash via vhost_net_stop().

The original patch [1] was found to be incomplete and is currently being reworked upstream [2][3].

[1] https://gitlab.com/qemu-project/qemu/-/commit/fcbb086ae590e910614fe5b8bf76e264f71ef304
[2] https://gitlab.com/qemu-project/qemu/-/issues/2321
[3] https://gitlab.com/qemu-project/qemu/-/issues/2334

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-4693
https://bugzilla.redhat.com/show_bug.cgi?id=2279965
Comment 1 Camila Camargo de Matos 2024-05-10 17:03:35 UTC 
As per the vulnerability description, it exists due to an incomplete fix [0] that was applied to qemu. This incomplete fix [0] is an attempt to correct problems that were introduced with the functionalities added through commit f9a09ca3 [1].

The incomplete fix [0] was introduced in version 8.2.3, while commit f9a09ca3 [1] was introduced in version 8.0.0.

Package qemu at versions below 8.2.3 are not affected by the issue described by this CVE specifically, however, certain codestreams which contain package qemu at a version that is between 8.0.0 and 8.2.3 are affected by the issue that [0] is attempting to fix.

[0] https://gitlab.com/qemu-project/qemu/-/commit/2ce6cff94df2650c460f809e5ad263f1d22507c0
[1] https://gitlab.com/qemu-project/qemu/-/commit/f9a09ca3ea69d108d828b7c82f1bd61b2df6fc96
Comment 3 Dario Faggioli 2024-07-09 05:45:31 UTC 
(In reply to Camila Camargo de Matos from comment #1)
> As per the vulnerability description, it exists due to an incomplete fix [0]
> that was applied to qemu. This incomplete fix [0] is an attempt to correct
> problems that were introduced with the functionalities added through commit
> f9a09ca3 [1].
> 
> The incomplete fix [0] was introduced in version 8.2.3, while commit
> f9a09ca3 [1] was introduced in version 8.0.0.
> 
> Package qemu at versions below 8.2.3 are not affected by the issue described
> by this CVE specifically, however, certain codestreams which contain package
> qemu at a version that is between 8.0.0 and 8.2.3 are affected by the issue
> that [0] is attempting to fix.
> 
> [0]
> https://gitlab.com/qemu-project/qemu/-/commit/
> 2ce6cff94df2650c460f809e5ad263f1d22507c0
> [1]
> https://gitlab.com/qemu-project/qemu/-/commit/
> f9a09ca3ea69d108d828b7c82f1bd61b2df6fc96

Ok, the fix should be this patches: https://lore.kernel.org/qemu-devel/20240702020033.139261-1-lulu@redhat.com/

I'm not sure why/how the first one appears to be upstream commit https://gitlab.com/qemu-project/qemu/-/commit/7eeb62b0ce3a8f64647bf53f93903abd1fbb0b94 (it's mentioned as such even here: https://bugzilla.redhat.com/show_bug.cgi?id=2279965), because I don't actually see in the tree yet... Maybe it is/was in a branch or there's something else I'm missing.

Anyway, the patch is still being discussed in the ML. I'll keep an eye out for it.