1197653 – (CVE-2022-1050) VUL-0: CVE-2022-1050: qemu,kvm: pvrdma: use-after-free issue in pvrdma_exec_cmd()

Bug 1197653 (CVE-2022-1050) - VUL-0: CVE-2022-1050: qemu,kvm: pvrdma: use-after-free issue in pvrdma_exec_cmd()

Summary: VUL-0: CVE-2022-1050: qemu,kvm: pvrdma: use-after-free issue in pvrdma_exec_c...

Status:	RESOLVED FIXED

Alias:	CVE-2022-1050

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/327484/
Whiteboard:	CVSSv3.1:SUSE:CVE-2022-1050:8.2:(AV:L...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2022-03-29 14:54 UTC by Thomas Leroy
Modified:	2024-05-30 14:34 UTC (History)
CC List:	7 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Leroy 2022-03-29 14:54:32 UTC

rh#2069625

Guest driver might execute HW commands when shared buffers are not yet allocated, potentially leading to a use-after-free condition.

Upstream patch:
https://lists.nongnu.org/archive/html/qemu-devel/2022-03/msg05197.html

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2069625
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1050

Comment 1 Thomas Leroy 2022-03-30 08:40:39 UTC

pvrdma support seems to be only present in the following codestreams:
- SUSE:SLE-12-SP5:Update/qemu
- SUSE:SLE-15-SP1:Update/qemu
- SUSE:SLE-15-SP2:Update/qemu
- SUSE:SLE-15-SP3:Update/qemu
- SUSE:SLE-15-SP4:Update/qemu

Comment 2 Dario Faggioli 2022-05-23 15:39:49 UTC

(In reply to Thomas Leroy from comment #0)
> rh#2069625
> 
> Guest driver might execute HW commands when shared buffers are not yet
> allocated, potentially leading to a use-after-free condition.
> 
> Upstream patch:
> https://lists.nongnu.org/archive/html/qemu-devel/2022-03/msg05197.html
> 
Indeed.

But the patch is not upstream yet, AFAICS.

Comment 9 Claudio Fontana 2022-12-07 15:06:25 UTC

(pinged upstream, but looks good to me)

Comment 10 Cathy Hu 2022-12-14 08:23:06 UTC

Hi, is there any update here? Thanks!

Comment 12 Dario Faggioli 2023-02-22 15:21:13 UTC

Ok, this seems to have finally made upstream!

> commit ebdc3fc10ef04b103ec4d874be058a498caa9c75 (HEAD -> opensuse-6.2)
> Author: Yuval Shaia <yuval.shaia.ml@gmail.com>
> Date:   Sun Apr 3 12:52:34 2022 +0300
> 
>     hw/pvrdma: Protect against buggy or malicious guest driver

It's not part of any release version, so it needs backporting to Factory, 15-SP5, 15-SP4, and I guess all the other old codestreams mentioned in comment 1, right?

Comment 13 Thomas Leroy 2023-02-22 15:48:20 UTC

(In reply to Dario Faggioli from comment #12)
> Ok, this seems to have finally made upstream!
> 
> > commit ebdc3fc10ef04b103ec4d874be058a498caa9c75 (HEAD -> opensuse-6.2)
> > Author: Yuval Shaia <yuval.shaia.ml@gmail.com>
> > Date:   Sun Apr 3 12:52:34 2022 +0300
> > 
> >     hw/pvrdma: Protect against buggy or malicious guest driver
> 
> It's not part of any release version, so it needs backporting to Factory,
> 15-SP5, 15-SP4, and I guess all the other old codestreams mentioned in
> comment 1, right?

Exactly, thanks Dario!

Comment 17 Maintenance Automation 2023-03-08 12:30:01 UTC

SUSE-SU-2023:0671-1: An update that solves three vulnerabilities and has two fixes can now be installed.

Category: security (important)
Bug References: 1197653, 1202364, 1203788, 1205808, 1206527
CVE References: CVE-2022-1050, CVE-2022-3165, CVE-2022-4144
Sources used:
openSUSE Leap Micro 5.3 (src): qemu-6.2.0-150400.37.11.1
openSUSE Leap 15.4 (src): qemu-6.2.0-150400.37.11.1, qemu-linux-user-6.2.0-150400.37.11.1, qemu-testsuite-6.2.0-150400.37.11.2
SUSE Linux Enterprise Micro for Rancher 5.3 (src): qemu-6.2.0-150400.37.11.1
SUSE Linux Enterprise Micro 5.3 (src): qemu-6.2.0-150400.37.11.1
Basesystem Module 15-SP4 (src): qemu-6.2.0-150400.37.11.1
Server Applications Module 15-SP4 (src): qemu-6.2.0-150400.37.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 20 Maintenance Automation 2023-03-16 12:30:24 UTC

SUSE-SU-2023:0761-1: An update that solves 14 vulnerabilities can now be installed.

Category: security (important)
Bug References: 1172033, 1172382, 1175144, 1180207, 1182282, 1185000, 1193880, 1197653, 1198035, 1198038, 1198712, 1201367, 1205808
CVE References: CVE-2020-13253, CVE-2020-13754, CVE-2020-14394, CVE-2020-17380, CVE-2020-25085, CVE-2021-3409, CVE-2021-3507, CVE-2021-3929, CVE-2021-4206, CVE-2022-0216, CVE-2022-1050, CVE-2022-26354, CVE-2022-35414, CVE-2022-4144
Sources used:
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): qemu-3.1.1.1-66.1
SUSE Linux Enterprise Server 12 SP5 (src): qemu-3.1.1.1-66.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): qemu-3.1.1.1-66.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 21 Maintenance Automation 2023-03-21 12:30:09 UTC

SUSE-SU-2023:0840-1: An update that solves six vulnerabilities and has one fix can now be installed.

Category: security (important)
Bug References: 1180207, 1185000, 1193880, 1197653, 1198038, 1202364, 1205808
CVE References: CVE-2020-14394, CVE-2021-3507, CVE-2021-3929, CVE-2022-0216, CVE-2022-1050, CVE-2022-4144
Sources used:
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): qemu-5.2.0-150300.121.2
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): qemu-5.2.0-150300.121.2
SUSE Linux Enterprise Real Time 15 SP3 (src): qemu-5.2.0-150300.121.2
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): qemu-5.2.0-150300.121.2
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): qemu-5.2.0-150300.121.2
SUSE Manager Proxy 4.2 (src): qemu-5.2.0-150300.121.2
SUSE Manager Retail Branch Server 4.2 (src): qemu-5.2.0-150300.121.2
SUSE Manager Server 4.2 (src): qemu-5.2.0-150300.121.2
SUSE Enterprise Storage 7.1 (src): qemu-5.2.0-150300.121.2
SUSE Linux Enterprise Micro 5.1 (src): qemu-5.2.0-150300.121.2
SUSE Linux Enterprise Micro 5.2 (src): qemu-5.2.0-150300.121.2
SUSE Linux Enterprise Micro for Rancher 5.2 (src): qemu-5.2.0-150300.121.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 25 Claudio Fontana 2023-08-01 10:32:32 UTC

assigning to Zhang Li to complete the backports to

SUSE:SLE-15-SP1:Update
SUSE:SLE-15-SP2:Update

(not sure about whether 15-SP3:Update is still needed.

Thanks

Comment 26 Li Zhang 2023-08-08 11:47:00 UTC

(In reply to Claudio Fontana from comment #25)
> assigning to Zhang Li to complete the backports to
> 
> SUSE:SLE-15-SP1:Update
> SUSE:SLE-15-SP2:Update
> 
> (not sure about whether 15-SP3:Update is still needed.
> 
> Thanks

For SLE-15-SP1, the source code is different. I have rework with the patches. The submodules introduce a lot of patches. So currently, we may push all these patches  if the version is not specified with these submodules.

Comment 29 Maintenance Automation 2023-09-21 08:30:02 UTC

SUSE-SU-2023:3721-1: An update that solves 10 vulnerabilities and has one security fix can now be installed.

Category: security (important)
Bug References: 1172382, 1188609, 1190011, 1193880, 1197653, 1198712, 1207205, 1212850, 1212968, 1213925, 1215311
CVE References: CVE-2020-13754, CVE-2021-3638, CVE-2021-3750, CVE-2021-3929, CVE-2022-1050, CVE-2022-26354, CVE-2023-0330, CVE-2023-2861, CVE-2023-3180, CVE-2023-3354
Sources used:
openSUSE Leap 15.4 (src): qemu-4.2.1-150200.79.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): qemu-4.2.1-150200.79.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): qemu-4.2.1-150200.79.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): qemu-4.2.1-150200.79.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 30 Maintenance Automation 2023-09-27 12:30:07 UTC

SUSE-SU-2023:3800-1: An update that solves nine vulnerabilities and has one security fix can now be installed.

Category: security (important)
Bug References: 1172382, 1190011, 1193880, 1197653, 1198712, 1207205, 1212850, 1212968, 1213925, 1215311
CVE References: CVE-2019-13754, CVE-2021-3750, CVE-2021-3929, CVE-2022-1050, CVE-2022-26354, CVE-2023-0330, CVE-2023-2861, CVE-2023-3180, CVE-2023-3354
Sources used:
SUSE CaaS Platform 4.0 (src): qemu-3.1.1.1-150100.80.51.5
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): qemu-3.1.1.1-150100.80.51.5
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): qemu-3.1.1.1-150100.80.51.5
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): qemu-3.1.1.1-150100.80.51.5

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.