Re: Addressing CVE-2024-3446 in qemu versions shipped in debian bullseye

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Addressing CVE-2024-3446 in qemu versions shipped in debian bullseye

From:	Santiago Ruano Rincón
Subject:	Re: Addressing CVE-2024-3446 in qemu versions shipped in debian bullseye and older
Date:	Wed, 8 Jan 2025 13:16:24 -0500

El 02/01/25 a las 08:43, Thomas Huth escribió:
> On 31/12/2024 00.21, Santiago Ruano Rincón wrote:
> > Hello there,
> > 
> > (Please CC me since I am not subscribed to the QEMU devel list.)
> > 
> > I am working on backporting some CVE fixes to old Debian versions
> > (bullseye and previous), and I would like to ask you some help to
> > confirm if QEMU in those debian releases is affected by CVE-2024-3446 or
> > not. This is QEMU 5.2, 3.1 and 2.8.
> > 
> > On the 7.2 branch, the following four commits are required to fix
> > CVE-2024-3446:
> > https://gitlab.com/qemu-project/qemu/-/commit/e070e5e6748e3217028fa21aa30bb51f862368c8
> > https://gitlab.com/qemu-project/qemu/-/commit/6d37a308159766cb90ed745cfeb1880937b638ec
> > https://gitlab.com/qemu-project/qemu/-/commit/e7c2df3fd748a20a8b7a316d186b3ac77551f159
> > https://gitlab.com/qemu-project/qemu/-/commit/7aaf5f7778de4d75a169ab193f08857eb28db3a4
> > 
> > AFAICS, the qemu_bh_new calls were replaced with qemu_bh_new_guarded in
> > 7.2.6.
> > 
> > Please note that 6d37a308159766cb90ed745cfeb1880937b638ec (and
> > ba28e0ff4d95b56dc334aac2730ab3651ffc3132) include this bug as reference:
> > https://bugs.launchpad.net/qemu/+bug/1888606. Could you please confirm
> > the CVE relates to the same issue?
> > 
> > I am unable to reproduce the issue. I've tried the reproducer found at
> > 6d37a308 and the one from the ubuntu referenced bug. However comment #5
> > in the ubuntu bug mentions it was reproducible with QEMU 5.0, so I am
> > confused.
> 
>  Hi!
> 
> Just to double-check: Did you compile your QEMU with address sanitizer
> enabled? Otherwise you might not see the issue when running the reproducer.

Hi, and thanks a lot for your answer!

Yes, I am building QEMU with address sanitizer enabled. I am getting
this only ASAN-related warning when running the reproducer:

==8384==WARNING: ASan doesn't fully support makecontext/swapcontext functions 
and may produce false positives in some cases!

And by your message, I am assuming you are still able to reproduce it.
Please, correct me if I am wrong. I am giving another try to see if I
can get "better" results.

> 
>  Thomas
> 
> 
> > To summarise: it OK to affirm QEMU 5.x and older is unaffected by
> > CVE-2024-3446?
> > 
> > Thanks in advance, and happy new year!
> > 
> >   -- Santiago
> 

Thanks,

 -- Santiago

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

Re: Addressing CVE-2024-3446 in qemu versions shipped in debian bullseye and older, Thomas Huth, 2025/01/02
- Re: Addressing CVE-2024-3446 in qemu versions shipped in debian bullseye and older, Santiago Ruano Rincón <=

Prev by Date: Re: [PATCH v6 2/2] memory: Do not create circular reference with subregion
Next by Date: Re: [PATCH v5 8/8] i386/cpu: Adjust level for RDT on full_cpuid_auto_level
Previous by thread: Re: Addressing CVE-2024-3446 in qemu versions shipped in debian bullseye and older
Next by thread: [PATCH 0/3] hw/intc/loongarch_extioi: Add irq routing from physical cpu id
Index(es):
- Date
- Thread