CVE-2022-3165 – QEMU: VNC: integer underflow in vnc_client_cut_text_ext leads to CPU exhaustion
https://notcve.org/view.php?id=CVE-2022-3165
An integer underflow issue was found in the QEMU VNC server while processing ClientCutText messages in the extended format. A malicious client could use this flaw to make QEMU unresponsive by sending a specially crafted payload message, resulting in a denial of service. Se ha encontrado un problema de desbordamiento de enteros en el servidor VNC de QEMU mientras son procesados mensajes ClientCutText en el formato extendido. Un cliente malicioso podría usar este fallo para hacer que QEMU no responda mediante el envío de un mensaje de carga útil especialmente diseñado, resultando en una denegación de servicio An integer underflow issue was found in the QEMU built-in VNC server while processing ClientCutText messages in the extended format. A malicious client could use this flaw to make QEMU unresponsive by sending a specially crafted payload message, resulting in a denial of service. • https://gitlab.com/qemu-project/qemu/-/commit/d307040b18 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I36LKZA7Z65J3LJU2P37LVTWDFTXBMPU https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZTY7TVHX62OJWF6IOBCIGLR2N5K4QN3E https://security.netapp.com/advisory/ntap-20221223-0006 https://access.redhat.com/security/cve/CVE-2022-3165 https://bugzilla.redhat.com/show_bug.cgi?id=2129739 • CWE-191: Integer Underflow (Wrap or Wraparound) CWE-400: Uncontrolled Resource Consumption •
CVE-2022-2962
https://notcve.org/view.php?id=CVE-2022-2962
A DMA reentrancy issue was found in the Tulip device emulation in QEMU. When Tulip reads or writes to the rx/tx descriptor or copies the rx/tx frame, it doesn't check whether the destination address is its own MMIO address. This can cause the device to trigger MMIO handlers multiple times, possibly leading to a stack or heap overflow. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition. Se encontró un problema de reentrada DMA en la emulación del dispositivo Tulip en QEMU. • https://gitlab.com/qemu-project/qemu/-/commit/36a894aeb64a2e02871016da1c37d4a4ca109182 https://gitlab.com/qemu-project/qemu/-/issues/1171 • CWE-400: Uncontrolled Resource Consumption CWE-662: Improper Synchronization •
CVE-2021-3735
https://notcve.org/view.php?id=CVE-2021-3735
A deadlock issue was found in the AHCI controller device of QEMU. It occurs on a software reset (ahci_reset_port) while handling a host-to-device Register FIS (Frame Information Structure) packet from the guest. A privileged user inside the guest could use this flaw to hang the QEMU process on the host, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability. Se ha encontrado un problema de bloqueo en el dispositivo controlador AHCI de QEMU. • https://access.redhat.com/security/cve/CVE-2021-3735 https://bugzilla.redhat.com/show_bug.cgi?id=1997184 https://security-tracker.debian.org/tracker/CVE-2021-3735 • CWE-400: Uncontrolled Resource Consumption CWE-667: Improper Locking •
CVE-2022-35414
https://notcve.org/view.php?id=CVE-2022-35414
softmmu/physmem.c in QEMU through 7.0.0 can perform an uninitialized read on the translate_fail path, leading to an io_readx or io_writex crash. NOTE: a third party states that the Non-virtualization Use Case in the qemu.org reference applies here, i.e., "Bugs affecting the non-virtualization use case are not considered security bugs at this time. ** EN DISPUTA ** El archivo softmmu/physmem.c en QEMU versiones hasta 7.0.0, puede llevar a cabo una lectura no inicializada en la ruta translate_fail, conllevando a un bloqueo io_readx o io_writex. NOTA: un tercero afirma que el caso de uso de no virtualización en la referencia de qemu.org se aplica aquí, es decir, "Los errores que afectan al caso de uso de no virtualización no se consideran errores de seguridad en este momento" • https://github.com/qemu/qemu/blob/f200ff158d5abcb974a6b597a962b6b2fbea2b06/softmmu/physmem.c https://github.com/qemu/qemu/blob/v7.0.0/include/exec/cpu-all.h#L145-L148 https://github.com/qemu/qemu/commit/3517fb726741c109cae7995f9ea46f0cab6187d6#diff-83c563ed6330dc5d49876f1116e7518b5c16654bbc6e9b4ea8e28f5833d576fcR482 https://github.com/qemu/qemu/commit/3517fb726741c109cae7995f9ea46f0cab6187d6#diff-83c563ed6330dc5d49876f1116e7518b5c16654bbc6e9b4ea8e28f5833d576fcR482.aa https://github.com/qemu/qemu/commit/418ade7849ce7641c0f7333718caf5091a02fd4c https://gitlab.com/qemu-project/qemu • CWE-908: Use of Uninitialized Resource •
CVE-2021-3929
https://notcve.org/view.php?id=CVE-2021-3929
A DMA reentrancy issue was found in the NVM Express Controller (NVME) emulation in QEMU. This CVE is similar to CVE-2021-3750 and, just like it, when the reentrancy write triggers the reset function nvme_ctrl_reset(), data structs will be freed leading to a use-after-free issue. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition or, potentially, executing arbitrary code within the context of the QEMU process on the host. Se ha encontrado un problema de reentrada DMA en la emulación del controlador NVM Express (NVME) en QEMU. Este CVE es similar al CVE-2021-3750 y, al igual que éste, cuando la escritura de reentrada desencadena la función de reinicio nvme_ctrl_reset(), los structs de datos serán liberados conllevando a un problema de uso de memoria previamente liberada. • https://github.com/QiuhaoLi/CVE-2021-3929-3947 https://access.redhat.com/security/cve/CVE-2021-3929 https://bugzilla.redhat.com/show_bug.cgi?id=2020298 https://gitlab.com/qemu-project/qemu/-/commit/736b01642d85be832385 https://gitlab.com/qemu-project/qemu/-/issues/556 https://gitlab.com/qemu-project/qemu/-/issues/782 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XHNN7QJCEQH7AQG5AQP2GEFAQE6K635I • CWE-416: Use After Free •