[oss-security] 20181218 CVE-2018-20191 QEMU: pvrdma: uar_read leads to NULL dereference

106276

FEDORA-2019-88a98ce795

FEDORA-2019-0664c7724d

[qemu-devel] 20181213 Re: [PATCH v2 2/6] pvrdma: add uar_read routine

USN-3923-1

According to the versions of the qemu-kvm packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - A flaw was found in QEMU's Media Transfer Protocol     (MTP) where a path traversal in the in     usb_mtp_write_data function in hw/usb/dev-mtp.c due to     an improper file name sanitization. Reading and writing     of arbitrary files is allowed when a guest device is     mounted which may lead to a denial of service scenario     or possibly lead to code execution on the     host.(CVE-2018-16867)

  - A flaw was found in QEMU's Media Transfer Protocol     (MTP). The code opening files in usb_mtp_get_object and     usb_mtp_get_partial_object and directories in     usb_mtp_object_readdir doesn't consider that the     underlying filesystem may have changed since the time     lstat(2) was called in usb_mtp_object_alloc, a     classical TOCTTOU problem. An attacker with write     access to the host filesystem, shared with a guest, can     use this property to navigate the host filesystem in     the context of the QEMU process and read any file the     QEMU process has access to. Access to the filesystem     may be local or via a network share protocol such as     CIFS.(CVE-2018-16872)

  - hw/9pfs/cofile.c and hw/9pfs/9p.c in QEMU can modify an     fid path while it is being accessed by a second thread,     leading to (for example) a use-after-free     outcome.(CVE-2018-19364)

  - v9fs_wstat in hw/9pfs/9p.c in QEMU allows guest OS     users to cause a denial of service (crash) because of a     race condition during file renaming.(CVE-2018-19489)

  - hw/rdma/vmw/pvrdma_main.c in QEMU does not implement a     read operation (such as uar_read by analogy to     uar_write), which allows attackers to cause a denial of     service (NULL pointer dereference).(CVE-2018-20191)

  - QEMU, through version 2.10 and through version 3.1.0,     is vulnerable to an out-of-bounds read of up to 128     bytes in the hw/i2c/i2c-ddc.c:i2c_ddc() function. A     local attacker with permission to execute i2c commands     could exploit this to read stack memory of the qemu     process on the host.(CVE-2019-3812)

  - In QEMU 3.0.0, tcp_emu in slirp/tcp_subr.c has a     heap-based buffer overflow.(CVE-2019-6778)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

- fix crash with virgl enabled (bz #1692323)

  - linux-user: make pwrite64/pread64(fd, NULL, 0, offset)     return 0 (bz #1174267)

  - Fix build with latest gluster (bz #1684298)

  - CVE-2018-20123: pvrdma: memory leakage in device hotplug     (bz #1658964)

  - CVE-2018-16872: usb-mtp: path traversal issue (bz     #1659150)

  - CVE-2018-20191: pvrdma: uar_read leads to NULL deref (bz     #1660315)

  - CVE-2019-6501: scsi-generic: possible OOB access (bz     #1669005)

  - CVE-2019-6778: slirp: heap buffer overflow (bz #1669072)

  - CVE-2019-3812: Out-of-bounds read in hw/i2c/i2c-ddc.c     allows for memory disclosure (bz #1678081)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Michael Hanselmann discovered that QEMU incorrectly handled the Media Transfer Protocol (MTP). An attacker inside the guest could use this issue to read or write arbitrary files and cause a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 18.10. (CVE-2018-16867)

Michael Hanselmann discovered that QEMU incorrectly handled the Media Transfer Protocol (MTP). An attacker inside the guest could use this issue to read arbitrary files, contrary to expectations. This issue only affected Ubuntu 18.04 LTS and Ubuntu 18.10. (CVE-2018-16872)

Zhibin Hu discovered that QEMU incorrectly handled the Plan 9 File System support. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.
(CVE-2018-19489)

Li Quang and Saar Amar discovered multiple issues in the QEMU PVRDMA device. An attacker inside the guest could use these issues to cause a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 18.10. These issues were resolved by disabling PVRDMA support in Ubuntu 18.10. (CVE-2018-20123, CVE-2018-20124, CVE-2018-20125, CVE-2018-20126, CVE-2018-20191, CVE-2018-20216)

Michael Hanselmann discovered that QEMU incorrectly handled certain i2c commands. A local attacker could possibly use this issue to read QEMU process memory. This issue only affected Ubuntu 18.04 LTS and Ubuntu 18.10. (CVE-2019-3812)

It was discovered that QEMU incorrectly handled the Slirp networking back-end. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2019-6778).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

- CVE-2018-19364: 9pfs: use-after-free (bz #1651359)

  - CVE-2018-19489: 9pfs: use-after-free renaming files (bz     #1653157)

  - CVE-2018-16867: usb-mtp: path traversal issue (bz     #1656746)

  - CVE-2018-16872: usb-mtp: path traversal issue (bz     #1659150)

  - CVE-2018-20191: pvrdma: uar_read leads to NULL deref (bz     #1660315)

  - CVE-2019-6778: slirp: heap buffer overflow (bz #1669072)

  - CVE-2019-3812: Out-of-bounds read in hw/i2c/i2c-ddc.c     allows for memory disclosure (bz #1678081)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
128184	EulerOS 2.0 SP8 : qemu-kvm (EulerOS-SA-2019-1815)	Nessus	Huawei Local Security Checks	high
124467	Fedora 30 : 2:qemu (2019-0664c7724d)	Nessus	Fedora Local Security Checks	high
123457	Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 18.10 : QEMU vulnerabilities (USN-3923-1)	Nessus	Ubuntu Local Security Checks	high
123101	Fedora 29 : 2:qemu (2019-88a98ce795)	Nessus	Fedora Local Security Checks	high

CVE-2018-20191

high

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins

high

high

high

high