Bugzilla – Bug 1014110
VUL-0: CVE-2016-9913,CVE-2016-9914,CVE-2016-9915,CVE-2016-9916: qemu: 9pfs: memory leakage via proxy/handle callbacks
Last modified: 2017-06-08 10:56:52 UTC
Reference: http://seclists.org/oss-sec/2016/q4/617 =================================================== Hello, Quick Emulator(Qemu) built with the VirtFS, host directory sharing via Plan 9 File System(9pfs) support, is vulnerable to memory leakage issue. It could occur via its '9p-handle' or '9p-proxy' backend drivers as they do not free their respective allocated data objects. A privileged user inside guest could use this flaw to leak host memory, thus affecting other services on the host and/or potentially crash the Qemu process on the host. Upstream patches: ----------------- -> https://lists.gnu.org/archive/html/qemu-devel/2016-11/msg03278.html Thank you. -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F ===================================================
Analysis shows the following codestreams are affected: kvm: SUSE:SLE-11-SP3:Update/kvm/qemu-1.4.2/hw/9pfs/virtio-9p-handle.c:663 SUSE:SLE-11-SP4:Update/kvm/qemu-1.4.2/hw/9pfs/virtio-9p-handle.c:663 qemu: SUSE:SLE-12:Update/qemu/qemu-2.0.2/hw/9pfs/virtio-9p-handle.c:672 SUSE:SLE-12-SP1:Update/qemu/qemu-2.3.1/hw/9pfs/virtio-9p-handle.c:672 SUSE:SLE-12-SP2:Update/qemu/qemu-2.6.2/hw/9pfs/9p-handle.c:673 not affected: kvm: SUSE:SLE-11-SP1:Update/kvm/qemu-kvm-0.12.5 (not contained) qemu: SUSE:SLE-11:Update/qemu/qemu-0.10.1 (not contained)
bugbot adjusting priority
CVE-2016-9913
From Mitre > Quick Emulator(Qemu) built with the VirtFS, host directory sharing via Plan 9 > File System(9pfs) support, is vulnerable to memory leakage issue. It could > occur via its '9p-handle' or '9p-proxy' backend drivers as they do not free > their respective allocated data objects. > > A privileged user inside guest could use this flaw to leak host memory, thus > affecting other services on the host and/or potentially crash the Qemu process > on the host. > > https://lists.gnu.org/archive/html/qemu-devel/2016-11/msg03278.html >> 9pfs: adjust the order of resource cleanup in device unrealize >> http://git.qemu.org/?p=qemu.git;a=commit;h=4774718e5c194026ba5ee7a28d9be49be3080e42 Use CVE-2016-9913. >> 9pfs: add cleanup operation in FileOperations >> http://git.qemu.org/?p=qemu.git;a=commit;h=702dbcc274e2ca43be20ba64c758c0ca57dab91d Use CVE-2016-9914. >> 9pfs: add cleanup operation for handle backend driver >> http://git.qemu.org/?p=qemu.git;a=commit;h=971f406b77a6eb84e0ad27dcc416b663765aee30 Use CVE-2016-9915. >> 9pfs: add cleanup operation for proxy backend driver >> http://git.qemu.org/?p=qemu.git;a=commit;h=898ae90a44551d25b8e956fd87372d303c82fe68 Use CVE-2016-9916.
SUSE-SU-2017:0127-1: An update that solves 13 vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 1007454,1008519,1009109,1013285,1013341,1013764,1013767,1014109,1014110,1014111,1014112,1014256,1014514,1016779,937125 CVE References: CVE-2016-9102,CVE-2016-9103,CVE-2016-9381,CVE-2016-9776,CVE-2016-9845,CVE-2016-9846,CVE-2016-9907,CVE-2016-9908,CVE-2016-9911,CVE-2016-9912,CVE-2016-9913,CVE-2016-9921,CVE-2016-9922 Sources used: SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): qemu-2.6.2-39.1 SUSE Linux Enterprise Server 12-SP2 (src): qemu-2.6.2-39.1 SUSE Linux Enterprise Desktop 12-SP2 (src): qemu-2.6.2-39.1
openSUSE-SU-2017:0194-1: An update that solves 13 vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 1007454,1008519,1009109,1013285,1013341,1013764,1013767,1014109,1014110,1014111,1014112,1014256,1014514,1016779,937125 CVE References: CVE-2016-9102,CVE-2016-9103,CVE-2016-9381,CVE-2016-9776,CVE-2016-9845,CVE-2016-9846,CVE-2016-9907,CVE-2016-9908,CVE-2016-9911,CVE-2016-9912,CVE-2016-9913,CVE-2016-9921,CVE-2016-9922 Sources used: openSUSE Leap 42.2 (src): qemu-2.6.2-26.1, qemu-linux-user-2.6.2-26.1, qemu-testsuite-2.6.2-26.1
(In reply to Matthias Gerstner from comment #1) > Analysis shows the following codestreams are affected: > > kvm: > > SUSE:SLE-11-SP3:Update/kvm/qemu-1.4.2/hw/9pfs/virtio-9p-handle.c:663 > SUSE:SLE-11-SP4:Update/kvm/qemu-1.4.2/hw/9pfs/virtio-9p-handle.c:663 > > qemu: > > SUSE:SLE-12:Update/qemu/qemu-2.0.2/hw/9pfs/virtio-9p-handle.c:672 > SUSE:SLE-12-SP1:Update/qemu/qemu-2.3.1/hw/9pfs/virtio-9p-handle.c:672 > SUSE:SLE-12-SP2:Update/qemu/qemu-2.6.2/hw/9pfs/9p-handle.c:673 > > not affected: > > kvm: > > SUSE:SLE-11-SP1:Update/kvm/qemu-kvm-0.12.5 (not contained) > > qemu: > > SUSE:SLE-11:Update/qemu/qemu-0.10.1 (not contained) Turns out that only SLE-12-SP2 is affected, since SLE-12-SP1 and earlier do not have the option to unrealize the virtio 9p device, so no option to leak memory via unrealize device code paths.
(In reply to brogers@suse.com from comment #7) > Turns out that only SLE-12-SP2 is affected, since SLE-12-SP1 and earlier do > not have the option to unrealize the virtio 9p device, so no option to leak > memory via unrealize device code paths. Indeed. Sorry I didn't realize the cleanup function wasn't existing before that. In my mind a cleanup function would be one of the first things to add so I implied its existence. Thank you for updating.
Fixed.