Bug 2063 - A privileged attacker within a QEMU guest could cause QEMU to crash
Summary: A privileged attacker within a QEMU guest could cause QEMU to crash
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 1
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL:
Whiteboard:
Keywords: Security, validated_update
: 1423 (view as bug list)
Depends on:
Blocks:
 
Reported: 2011-07-07 09:37 CEST by Jérôme Soyer
Modified: 2011-10-02 02:19 CEST (History)
8 users (show)

See Also:
Source RPM: qemu-0.14.1-1.mga2.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Jérôme Soyer 2011-07-07 09:37:44 CEST 
Nelson Elhage discoverd that QEMU did not properly validate certain
virtqueue requests from the guest. An attacker could exploit this to cause
a denial of service of the guest or possibly execute code with the
privileges of the user invoking the program. (CVE-2011-2212)

Stefan Hajnoczi discovered that QEMU did not properly perform integer
comparisons when performing virtqueue input validation. An attacker could
exploit this to cause a denial of service of the guest or possibly execute
code with the privileges of the user invoking the program. (CVE-2011-2512)

When using QEMU with libvirt or virtualization management software based on
libvirt such as Eucalyptus and OpenStack, QEMU guests are individually
isolated by an AppArmor profile by default in Ubuntu.

Update instructions:

The problem can be corrected by updating your system
Manuel Hiebel 2011-08-30 10:06:02 CEST

CC: (none) => cjw, fundawang, mageia, misc, thierry.vignaud

Comment 1 Michael Scherer 2011-08-30 12:46:56 CEST 
So here is a patch for CVE-2011-2512  http://patchwork.ozlabs.org/patch/94604/

Status: NEW => ASSIGNED
Assignee: bugsquad => misc

Comment 2 Michael Scherer 2011-08-30 12:53:44 CEST 
And here is one for CVE-2011-2212  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=632987
Comment 3 Michael Scherer 2011-08-30 13:25:32 CEST 
Pushed in update_testing as qemu-0.14.0-5.1.mga1

In order to test and since it involve virtio, I would make sure that testers use a virtio disk. The easiest way is to use virt-manager for that, and try to install a recent supported distribution and specify to use virtio ( like making sure we use virtio-net-pci ) . But doing this directly on the command line should be good too.

Since I run mageia in a vm, I cannot test kvm in it, so I didn't test much the update :/

Advisory :
Nelson Elhage discoverd that QEMU did not properly validate certain
virtqueue requests from the guest. An attacker could exploit this to cause
a denial of service of the guest or possibly execute code with the
privileges of the user invoking the program. (CVE-2011-2212)

Stefan Hajnoczi discovered that QEMU did not properly perform integer
comparisons when performing virtqueue input validation. An attacker could
exploit this to cause a denial of service of the guest or possibly execute
code with the privileges of the user invoking the program. (CVE-2011-2512)

Updated package are provided to fix theses issues.

Assignee: misc => qa-bugs

Comment 4 Michael Scherer 2011-08-31 21:47:36 CEST 
Seems there is also  https://bugs.mageia.org/show_bug.cgi?id=1423 

I will add proper patch for CVE-2011-1751

Assignee: qa-bugs => misc

Comment 5 Michael Scherer 2011-08-31 21:50:46 CEST 
*** Bug 1423 has been marked as a duplicate of this bug. ***
Comment 6 Samuel Verschelde 2011-09-11 13:30:01 CEST 
Must qa team test this one or should we wait for the patch for CVE-2011-1751

CC: (none) => stormi

Comment 7 Michael Scherer 2011-09-12 12:02:58 CEST 
According to changelog, I still didn't added it ( yet )
Comment 8 Michael Scherer 2011-09-12 12:06:37 CEST 
Ok, and after svn up, seems I have pushed the patch. According to the changelog of the rpm too.

Assignee: misc => qa-bugs

Samuel Verschelde 2011-09-12 12:07:16 CEST

Keywords: (none) => Security

Funda Wang 2011-09-13 03:52:09 CEST

CC: fundawang => (none)

Comment 9 claire robinson 2011-09-20 15:28:56 CEST 
I'm not familiar with qemu, is there a simple test for this one please?
Comment 10 Dave Hodgins 2011-09-20 23:46:07 CEST 
I'm testing on i586 following
http://fedoraproject.org/wiki/How_to_use_qemu#Qemu_virtual_machine_installation

Note that a bootable installation cd/dvd must be in the physical drive.

As qemu appears to be affected by bug 44, I'm testing with a knoppix
boot dvd.

CC: (none) => davidwhodgins

Comment 11 Dave Hodgins 2011-09-22 00:39:51 CEST 
On my i586 system, qemu-0.14.0-5.1.mga1.src.rpm is working.

Much slower than VirtualBox, but it is working.
Comment 12 claire robinson 2011-09-27 13:05:17 CEST 
x86_64

ubuntu 11.04 installed under virt-manager using Generic 2.6.25 + virtio option.

It confirmed it was using virtio as the disk was labelled such during installation.

Tested OK.

Update validated.

Advisory:
----------------
Nelson Elhage discoverd that QEMU did not properly validate certain
virtqueue requests from the guest. An attacker could exploit this to cause
a denial of service of the guest or possibly execute code with the
privileges of the user invoking the program. (CVE-2011-2212)

Stefan Hajnoczi discovered that QEMU did not properly perform integer
comparisons when performing virtqueue input validation. An attacker could
exploit this to cause a denial of service of the guest or possibly execute
code with the privileges of the user invoking the program. (CVE-2011-2512)

Updated packages are provided to fix theses issues.
----------------

Source RPM: qemu-0.14.0-5.1.mga1.src.rpm


Sysadmin please push from core/updates_testing to core/updates

Thankyou!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Version: Cauldron => 1

Comment 13 D Morgan 2011-10-02 02:19:21 CEST 
update pushed.

Status: ASSIGNED => RESOLVED
CC: (none) => dmorganec
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.