Bug 1214551 (CVE-2022-36648) - VUL-0: CVE-2022-36648: qemu,kvm: denial of service or code execution via of_dpa_cmd_add_l2_flood
Summary: VUL-0: CVE-2022-36648: qemu,kvm: denial of service or code execution via of_d...
Status: NEW
Alias: CVE-2022-36648
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: E-mail List
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/376031/
Whiteboard: CVSSv3.1:SUSE:CVE-2022-36648:7.0:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2023-08-24 06:52 UTC by Robert Frohl
Modified: 2024-04-16 14:27 UTC (History)
7 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
dfaggioli: needinfo? (alnovak)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2023-08-24 06:52:09 UTC 
CVE-2022-36648

The hardware emulation in the of_dpa_cmd_add_l2_flood of rocker device model in
QEMU, as used in 7.0.0 and earlier, allows remote attackers to crash the host
qemu and potentially execute code on the host via execute a malformed program in
the guest OS.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36648
https://www.cve.org/CVERecord?id=CVE-2022-36648
https://lists.nongnu.org/archive/html/qemu-devel/2022-06/msg04469.html
Comment 3 Joyeta Modak 2023-09-20 05:22:29 UTC 
Hi, Customer wanted fix for CVE-2022-36648
on sles12-sp2.

Do we know, when it will be released?
Comment 4 Joyeta Modak 2023-10-11 06:47:39 UTC 
Is there any update on when fix will be released for sles12-sp2
Comment 8 Joyeta Modak 2024-03-11 07:27:36 UTC 
Any updates on the release of fix?
Comment 9 Dario Faggioli 2024-03-14 20:28:23 UTC 
(In reply to Joyeta Modak from comment #8)
> Any updates on the release of fix?

No, I do not see it having been committed yet
Comment 10 Ales Novak 2024-03-27 11:04:25 UTC 
Dario/Claudio - this CVE has NVD score 10, SUSE score 7, so quite high. Do we really have to maintain upstream-first policy for such cases? Background - there's a customer asking for this fix in bsc#1215455
Comment 11 Dario Faggioli 2024-03-27 14:21:12 UTC 
(In reply to Ales Novak from comment #10)
> Dario/Claudio - this CVE has NVD score 10, SUSE score 7, so quite high. Do
> we really have to maintain upstream-first policy for such cases? Background
> - there's a customer asking for this fix in bsc#1215455
>
In my opinion, yes... But we'll discuss in one of our meetings.

In the meantime, about this bug:

https://lore.kernel.org/qemu-devel/CAA8xKjXvhnAyHDH43xcg9_HRqNqf04QhTpcrB2s4ae1d_WWuxw@mail.gmail.com/


> Someone somehow reserved a new CVE for this bug, published a few days
> ago here: https://nvd.nist.gov/vuln/detail/CVE-2022-36648.
> 
> Not only is this not CVE worthy (rocker code does not fall under the
> KVM virtualization use case [1]) but what's most concerning is that it
> got a CVSS score of 10 :/
> 
> I'm going to dispute this CVE. Hopefully, it will be rejected soon. In
> any case, can we get this patch merged?

Some more info. A non-security issue has been opened about it:

https://gitlab.com/qemu-project/qemu/-/issues/1851

And it's still open. And the patch is still not merged.