Re: Addressing CVE-2024-3446 in qemu versions shipped in debian bullseye and older

[Thomas Huth]

On 31/12/2024 00.21, Santiago Ruano Rincón wrote:
> Hello there,
>
> (Please CC me since I am not subscribed to the QEMU devel list.)
>
> I am working on backporting some CVE fixes to old Debian versions
> (bullseye and previous), and I would like to ask you some help to
> confirm if QEMU in those debian releases is affected by CVE-2024-3446 or
> not. This is QEMU 5.2, 3.1 and 2.8.
>
> On the 7.2 branch, the following four commits are required to fix
> CVE-2024-3446:
> https://gitlab.com/qemu-project/qemu/-/commit/e070e5e6748e3217028fa21aa30bb51f862368c8
> https://gitlab.com/qemu-project/qemu/-/commit/6d37a308159766cb90ed745cfeb1880937b638ec
> https://gitlab.com/qemu-project/qemu/-/commit/e7c2df3fd748a20a8b7a316d186b3ac77551f159
> https://gitlab.com/qemu-project/qemu/-/commit/7aaf5f7778de4d75a169ab193f08857eb28db3a4
>
> AFAICS, the qemu_bh_new calls were replaced with qemu_bh_new_guarded in
> 7.2.6.
>
> Please note that 6d37a308159766cb90ed745cfeb1880937b638ec (and
> ba28e0ff4d95b56dc334aac2730ab3651ffc3132) include this bug as reference:
> https://bugs.launchpad.net/qemu/+bug/1888606. Could you please confirm
> the CVE relates to the same issue?
>
> I am unable to reproduce the issue. I've tried the reproducer found at
> 6d37a308 and the one from the ubuntu referenced bug. However comment #5
> in the ubuntu bug mentions it was reproducible with QEMU 5.0, so I am
> confused.

 Hi!

Just to double-check: Did you compile your QEMU with address sanitizer 
enabled? Otherwise you might not see the issue when running the reproducer.

 Thomas


> To summarise: it OK to affirm QEMU 5.x and older is unaffected by
> CVE-2024-3446?
>
> Thanks in advance, and happy new year!
>
>   -- Santiago