qemu: CVE-2018-19665

Debian Bug report logs - #916278
qemu: CVE-2018-19665

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: qemu: CVE-2018-19665

Date: Wed, 12 Dec 2018 15:09:44 +0100

Source: qemu
Version: 1:3.1+dfsg-1
Severity: important
Tags: security upstream
Forwarded: https://lists.gnu.org/archive/html/qemu-devel/2018-11/msg03570.html

Hi,

The following vulnerability was published for qemu.

CVE-2018-19665[0]:
| The Bluetooth subsystem in QEMU mishandles negative values for length
| variables, leading to memory corruption.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-19665
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19665
[1] https://lists.gnu.org/archive/html/qemu-devel/2018-11/msg03570.html

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 916278-close@bugs.debian.org (full text, mbox, reply):

From: Michael Tokarev <mjt@tls.msk.ru>

To: 916278-close@bugs.debian.org

Subject: Bug#916278: fixed in qemu 1:3.1+dfsg-2

Date: Fri, 21 Dec 2018 15:51:14 +0000

Source: qemu
Source-Version: 1:3.1+dfsg-2

We believe that the bug you reported is fixed in the latest version of
qemu, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 916278@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Tokarev <mjt@tls.msk.ru> (supplier of updated qemu package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 21 Dec 2018 16:51:39 +0300
Source: qemu
Binary: qemu qemu-system qemu-block-extra qemu-system-data qemu-system-common qemu-system-gui qemu-system-misc qemu-system-arm qemu-system-mips qemu-system-ppc qemu-system-sparc qemu-system-x86 qemu-user qemu-user-static qemu-user-binfmt qemu-utils qemu-guest-agent qemu-kvm
Architecture: source
Version: 1:3.1+dfsg-2
Distribution: unstable
Urgency: medium
Maintainer: Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>
Changed-By: Michael Tokarev <mjt@tls.msk.ru>
Description:
 qemu       - fast processor emulator, dummy package
 qemu-block-extra - extra block backend modules for qemu-system and qemu-utils
 qemu-guest-agent - Guest-side qemu-system agent
 qemu-kvm   - QEMU Full virtualization on x86 hardware
 qemu-system - QEMU full system emulation binaries
 qemu-system-arm - QEMU full system emulation binaries (arm)
 qemu-system-common - QEMU full system emulation binaries (common files)
 qemu-system-data - QEMU full system emulation (data files)
 qemu-system-gui - QEMU full system emulation binaries (user interface and audio sup
 qemu-system-mips - QEMU full system emulation binaries (mips)
 qemu-system-misc - QEMU full system emulation binaries (miscellaneous)
 qemu-system-ppc - QEMU full system emulation binaries (ppc)
 qemu-system-sparc - QEMU full system emulation binaries (sparc)
 qemu-system-x86 - QEMU full system emulation binaries (x86)
 qemu-user  - QEMU user mode emulation binaries
 qemu-user-binfmt - QEMU user mode binfmt registration for qemu-user
 qemu-user-static - QEMU user mode emulation binaries (static version)
 qemu-utils - QEMU utilities
Closes: 684909 849798 903562 912655 916278 916279 916397 916625 916674 917007
Changes:
 qemu (1:3.1+dfsg-2) unstable; urgency=medium
 .
   * d/rules: split arch and indep builds
   * enable s390x cross-compiler and build s390-ccw.img (Closes: #684909)
   * build x86 optionrom in qemu-system-data (was in seabios/debian/)
   * qemu-system-data: Multi-Arch: allowed=>foreign (Closes: #903562)
   * fix Replaces: version for qemu-system-common (Closes: #916279)
   * add simple udev rules file for systemd guest agent (Closes: #916674)
   * usb-mtp-use-O_NOFOLLOW-and-O_CLOEXEC-CVE-2018-16872.patch
     Race condition in usb_mtp implementation (Closes: #916397)
   * bt-use-size_t-type-for-length-parameters-instead-of-int-CVE-2018-19665.patch
     Memory corruption in bluetooth subsystem (Closes: #916278)
   * hw_usb-fix-mistaken-de-initialization-of-CCID-state.patch (Closes: #917007)
   * bump debhelper compat to 12 (>>11)
   * d/rules: use dh_missing instead of dh_install --list-missing (compat=12)
   * use dh_installsystemd for guest agent (Closes: #916625)
   * mention closing by 3.1: Closes: #912655, CVE-2018-16847
   * mention closing by 2.10:
     Closes: #849798, CVE-2016-10028
     Closes: CVE-2017-9060
     Closes: CVE-2017-8284
Checksums-Sha1:
 04b44c05dbc941d44a9263f86464107c608cc1d1 6009 qemu_3.1+dfsg-2.dsc
 642b91d6402bf10661eef79b056ceadd8d633617 79956 qemu_3.1+dfsg-2.debian.tar.xz
 441b91f0922509cd6f49483ae05640acdcf50e1e 16308 qemu_3.1+dfsg-2_source.buildinfo
Checksums-Sha256:
 ff801502d364414ac213537da9e114989e8374b4ddc584dba9629060b54f1385 6009 qemu_3.1+dfsg-2.dsc
 03b3283c026d58e7067c217b0c62296a622c94214f0d252da6562b65fd6daf4b 79956 qemu_3.1+dfsg-2.debian.tar.xz
 cb497f2b9c41e24ec2614c3ca223dee8b4734d1f90da6ded96f43b8a9432a8f5 16308 qemu_3.1+dfsg-2_source.buildinfo
Files:
 75c65f666196fb751354b9f1423ac163 6009 otherosfs optional qemu_3.1+dfsg-2.dsc
 e0c4de806a66ec70cbf409b57f293796 79956 otherosfs optional qemu_3.1+dfsg-2.debian.tar.xz
 105f2dbc8adaab55f0ace64bb59e4053 16308 otherosfs optional qemu_3.1+dfsg-2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQFDBAEBCAAtFiEEe3O61ovnosKJMUsicBtPaxppPlkFAlwdBycPHG1qdEB0bHMu
bXNrLnJ1AAoJEHAbT2saaT5ZR4EH/1DWJ5T4wPaksVDVn+UsmKhYCXggcQPPWaJC
oUg2BEKGH0URQZUe/u+xgVn8/SovSq8/x6tng4o3QP4ay+sFRrxFtkBGwKSXT5zG
AXKC/vB8lhXL0OnVEz4BZMrmweV3jX9m8b+jFPC5URoQTqFNLvtPZ7pvA+30yjLx
53VUf/FBP2q8alKZVVSivNOXhkYSEE/nofuKfVKDyYkCAzqSEzQ6J3+z7roJxRh0
bMYUKWBcxF4yXdii7P2JTbWyut1ysSRCdPIruhMbBot9JATVk8gG6HQqLzswrKhu
Q2xP0fZZeoSgQDPH87CkJMo3KQpexu+z+ghjQGXtApdE+7Eo/HE=
=W0YW
-----END PGP SIGNATURE-----

Message #15 received at 916278@bugs.debian.org (full text, mbox, reply):

From: Hugo Lefeuvre <hle@debian.org>

To: debian-lts@lists.debian.org

Cc: 916278@bugs.debian.org

Subject: qemu - CVE-2018-19665: bt subsystem mishandles negative length variables

Date: Sat, 12 Jan 2019 17:52:01 +0100

[Message part 1 (text/plain, inline)]

Hi,

I had a look at CVE-2018-19665 regarding qemu in oldstable/stable.

summary: the bluetooth subsystem uses signed length variables at multiple
places. These length variables are used, among others, in memcpy calls. A
malicious guest VM could attempt to crash the host by passing negative len
values (in fact, huge len values interpreted as negative numbers) to these
functions.

The suggested patch[0] changes the type of these length variables to size_t
(unsigned) and adds a few assert calls to make sure the code is also
resilient again large values of len.

First, it is not completely clear to me to what extent this length variable
is under the control of guest VM users.

say, if guest kernel drivers process calls first, then these large/negative
values are likely to be rejected before they have even reached the affected
qemu code. Under this hypothesis, guest VM users would need to have full
control over the guest kernel to exploit this vulnerability (making exploit
more difficult in real envs ?).

I might be wrong on this point due to my limited knowledge of this
code-base.

Anyways, given that the patch is quite large (though straightforward), that
the subsystem doesn't seem to be very actively maintained and that the user
base is quite small, it is maybe better to mark this no-dsa in stretch and
jessie.

Cheers,
 Hugo

[0] https://lists.gnu.org/archive/html/qemu-devel/2018-11/msg03570.html

-- 
                Hugo Lefeuvre (hle)    |    www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C

[signature.asc (application/pgp-signature, inline)]

Message #20 received at 916278@bugs.debian.org (full text, mbox, reply):

From: Hugo Lefeuvre <hle@debian.org>

To: debian-lts@lists.debian.org

Cc: 916278@bugs.debian.org

Subject: Re: qemu - CVE-2018-19665: bt subsystem mishandles negative length variables

Date: Fri, 25 Jan 2019 10:03:20 +0100

[Message part 1 (text/plain, inline)]

> Anyways, given that the patch is quite large (though straightforward), that
> the subsystem doesn't seem to be very actively maintained and that the user
> base is quite small, it is maybe better to mark this no-dsa in stretch and
> jessie.

... but if we manage to trim down upstream's patch to just a few lines,
it could still be worth it.

I have taken upstream's patch and got rid of all type related changes
which don't have any security related impact. In fact they don't solve
the 'negative len' issue, these changes are just equivalent to moving the
size_t cast a few instructions earlier.

These changes might make sense in a refactoring perspective but this is
just noise in our case.

The resulting patch is tiny:

    diff --git a/bt-host.c b/bt-host.c
    index 2f8f631c25..b73a44d07d 100644
    --- a/bt-host.c
    +++ b/bt-host.c
    @@ -113,6 +113,7 @@ static void vhci_host_send(void *opaque,
         static uint8_t buf[4096];
     
         buf[0] = type;
    +    assert((size_t) len < sizeof(buf));
         memcpy(buf + 1, data, len);
     
         while (write(s->fd, buf, len + 1) < 0)
    diff --git a/hw/bt/hci-csr.c b/hw/bt/hci-csr.c
    index 0341ded50c..26bd516d31 100644
    --- a/hw/bt/hci-csr.c
    +++ b/hw/bt/hci-csr.c
    @@ -320,18 +320,18 @@ static int csrhci_write(struct Chardev *chr,
         struct csrhci_s *s = (struct csrhci_s *)chr;
         int total = 0;
     
    -    if (!s->enable)
    +    if (!s->enable || len <= 0)
             return 0;
     
         for (;;) {
             int cnt = MIN(len, s->in_needed - s->in_len);
    -        if (cnt) {
    -            memcpy(s->inpkt + s->in_len, buf, cnt);
    -            s->in_len += cnt;
    -            buf += cnt;
    -            len -= cnt;
    -            total += cnt;
    -        }
    +        assert(cnt > 0);
    +
    +        memcpy(s->inpkt + s->in_len, buf, cnt);
    +        s->in_len += cnt;
    +        buf += cnt;
    +        len -= cnt;
    +        total += cnt;
     
             if (s->in_len < s->in_needed) {
                 break;

3 lines changed, omitting indentation related diff. Given that this
issue might allow host side DoS/memory corruption I don't think this is
exaggerated.

The only think which is still unclear to me is why the patch is checking
using assert(). If these assert() calls are standard ansi ones, then their
failure would stop the whole qemu process which is not exactly what we
want right?

cheers,
 Hugo

-- 
                Hugo Lefeuvre (hle)    |    www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.