Bug 1218484 (CVE-2023-6693) - VUL-0: CVE-2023-6693: qemu: stack buffer overflow in virtio_net_flush_tx()
Summary: VUL-0: CVE-2023-6693: qemu: stack buffer overflow in virtio_net_flush_tx()
Status: NEW
Alias: CVE-2023-6693
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Dario Faggioli
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/389838/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-6693:4.9:(AV:L...
Keywords:
Depends on:
Blocks:
 
Reported: 2024-01-02 11:45 UTC by SMASH SMASH
Modified: 2024-05-13 13:54 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-01-02 11:45:34 UTC 
A stack based buffer overflow was found in the virtio-net device of QEMU. The flaw occurs while copying data to mhdr, a local variable of type virtio_net_hdr_mrg_rxbuf, when flushing TX in the virtio_net_flush_tx function. If guest features VIRTIO_NET_F_HASH_REPORT, VIRTIO_F_VERSION_1 and VIRTIO_NET_F_MRG_RXBUF are enabled, `n->guest_hdr_len` is set to sizeof(struct virtio_net_hdr_v1_hash), which is bigger than sizeof(virtio_net_hdr_mrg_rxbuf). This vulnerability could potentially allow a malicious user to overwrite local variables adjacent to mhdr allocated on the stack. Specifically, the out_sg variable could be used to read some part of process memory and send it to the wire:

ret = qemu_sendv_packet_async(qemu_get_subqueue(n->nic, queue_index), out_sg, out_num, virtio_net_tx_complete);

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6693

Patch:
https://lists.nongnu.org/archive/html/qemu-devel/2024-01/msg00045.html
Comment 4 Andrea Mattiazzo 2024-01-30 09:48:28 UTC 
Upstream commit: https://github.com/qemu/qemu/commit/2220e8189fb94068dbad333228659fbac819abb0
Comment 5 Dario Faggioli 2024-02-19 16:17:18 UTC 
(In reply to Andrea Mattiazzo from comment #4)
> Upstream commit:
> https://github.com/qemu/qemu/commit/2220e8189fb94068dbad333228659fbac819abb0
>
Included in v8.2.1. Wiil backport to earlier versions.
Comment 6 OBSbugzilla Bot 2024-02-20 12:45:02 UTC 
This is an autogenerated message for OBS integration:
This bug (1218484) was mentioned in
https://build.opensuse.org/request/show/1147915 Factory / qemu
Comment 12 Maintenance Automation 2024-04-03 16:30:10 UTC 
SUSE-SU-2024:1103-1: An update that solves five vulnerabilities, contains two features and has one security fix can now be installed.

Category: security (important)
Bug References: 1205316, 1209554, 1218484, 1220062, 1220065, 1220134
CVE References: CVE-2023-1544, CVE-2023-6693, CVE-2024-24474, CVE-2024-26327, CVE-2024-26328
Jira References: PED-7366, PED-8113
Maintenance Incident: [SUSE:Maintenance:33006](https://smelt.suse.de/incident/33006/)
Sources used:
SUSE Package Hub 15 15-SP5 (src):
 qemu-7.1.0-150500.49.12.1
Server Applications Module 15-SP5 (src):
 qemu-7.1.0-150500.49.12.1
openSUSE Leap 15.5 (src):
 qemu-linux-user-7.1.0-150500.49.12.1, qemu-7.1.0-150500.49.12.1
SUSE Linux Enterprise Micro 5.5 (src):
 qemu-7.1.0-150500.49.12.1
Basesystem Module 15-SP5 (src):
 qemu-7.1.0-150500.49.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.