Bug 1224132 (CVE-2024-4693) - VUL-0: CVE-2024-4693: qemu: virtio-pci: improper release of configure vector leads to guest triggerable crash
Summary: VUL-0: CVE-2024-4693: qemu: virtio-pci: improper release of configure vector ...
Status: NEW
Alias: CVE-2024-4693
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: E-mail List
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/404896/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-4693:5.5:(AV:L...
Keywords:
Depends on:
Blocks:
 
Reported: 2024-05-10 16:46 UTC by SMASH SMASH
Modified: 2024-07-09 05:45 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-05-10 16:46:28 UTC 
A flaw was found in QEMU in the Virtio PCI Bindings (hw/virtio/virtio-pci.c). An improper release and use of the irqfd for vector 0 during the boot process leads to a guest triggerable crash via vhost_net_stop().

The original patch [1] was found to be incomplete and is currently being reworked upstream [2][3].

[1] https://gitlab.com/qemu-project/qemu/-/commit/fcbb086ae590e910614fe5b8bf76e264f71ef304
[2] https://gitlab.com/qemu-project/qemu/-/issues/2321
[3] https://gitlab.com/qemu-project/qemu/-/issues/2334

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-4693
https://bugzilla.redhat.com/show_bug.cgi?id=2279965
Comment 1 Camila Camargo de Matos 2024-05-10 17:03:35 UTC 
As per the vulnerability description, it exists due to an incomplete fix [0] that was applied to qemu. This incomplete fix [0] is an attempt to correct problems that were introduced with the functionalities added through commit f9a09ca3 [1].

The incomplete fix [0] was introduced in version 8.2.3, while commit f9a09ca3 [1] was introduced in version 8.0.0.

Package qemu at versions below 8.2.3 are not affected by the issue described by this CVE specifically, however, certain codestreams which contain package qemu at a version that is between 8.0.0 and 8.2.3 are affected by the issue that [0] is attempting to fix.

[0] https://gitlab.com/qemu-project/qemu/-/commit/2ce6cff94df2650c460f809e5ad263f1d22507c0
[1] https://gitlab.com/qemu-project/qemu/-/commit/f9a09ca3ea69d108d828b7c82f1bd61b2df6fc96
Comment 3 Dario Faggioli 2024-07-09 05:45:31 UTC 
(In reply to Camila Camargo de Matos from comment #1)
> As per the vulnerability description, it exists due to an incomplete fix [0]
> that was applied to qemu. This incomplete fix [0] is an attempt to correct
> problems that were introduced with the functionalities added through commit
> f9a09ca3 [1].
> 
> The incomplete fix [0] was introduced in version 8.2.3, while commit
> f9a09ca3 [1] was introduced in version 8.0.0.
> 
> Package qemu at versions below 8.2.3 are not affected by the issue described
> by this CVE specifically, however, certain codestreams which contain package
> qemu at a version that is between 8.0.0 and 8.2.3 are affected by the issue
> that [0] is attempting to fix.
> 
> [0]
> https://gitlab.com/qemu-project/qemu/-/commit/
> 2ce6cff94df2650c460f809e5ad263f1d22507c0
> [1]
> https://gitlab.com/qemu-project/qemu/-/commit/
> f9a09ca3ea69d108d828b7c82f1bd61b2df6fc96

Ok, the fix should be this patches: https://lore.kernel.org/qemu-devel/20240702020033.139261-1-lulu@redhat.com/

I'm not sure why/how the first one appears to be upstream commit https://gitlab.com/qemu-project/qemu/-/commit/7eeb62b0ce3a8f64647bf53f93903abd1fbb0b94 (it's mentioned as such even here: https://bugzilla.redhat.com/show_bug.cgi?id=2279965), because I don't actually see in the tree yet... Maybe it is/was in a branch or there's something else I'm missing.

Anyway, the patch is still being discussed in the ML. I'll keep an eye out for it.