Re: Addressing CVE-2024-3446 in qemu versions shipped in debian bullseye and older

Wed, 08 Jan 2025 10:17:10 -0800 

El 02/01/25 a las 08:43, Thomas Huth escribió:
> On 31/12/2024 00.21, Santiago Ruano Rincón wrote:
> > Hello there,
> > 
> > (Please CC me since I am not subscribed to the QEMU devel list.)
> > 
> > I am working on backporting some CVE fixes to old Debian versions
> > (bullseye and previous), and I would like to ask you some help to
> > confirm if QEMU in those debian releases is affected by CVE-2024-3446 or
> > not. This is QEMU 5.2, 3.1 and 2.8.
> > 
> > On the 7.2 branch, the following four commits are required to fix
> > CVE-2024-3446:
> > https://gitlab.com/qemu-project/qemu/-/commit/e070e5e6748e3217028fa21aa30bb51f862368c8
> > https://gitlab.com/qemu-project/qemu/-/commit/6d37a308159766cb90ed745cfeb1880937b638ec
> > https://gitlab.com/qemu-project/qemu/-/commit/e7c2df3fd748a20a8b7a316d186b3ac77551f159
> > https://gitlab.com/qemu-project/qemu/-/commit/7aaf5f7778de4d75a169ab193f08857eb28db3a4
> > 
> > AFAICS, the qemu_bh_new calls were replaced with qemu_bh_new_guarded in
> > 7.2.6.
> > 
> > Please note that 6d37a308159766cb90ed745cfeb1880937b638ec (and
> > ba28e0ff4d95b56dc334aac2730ab3651ffc3132) include this bug as reference:
> > https://bugs.launchpad.net/qemu/+bug/1888606. Could you please confirm
> > the CVE relates to the same issue?
> > 
> > I am unable to reproduce the issue. I've tried the reproducer found at
> > 6d37a308 and the one from the ubuntu referenced bug. However comment #5
> > in the ubuntu bug mentions it was reproducible with QEMU 5.0, so I am
> > confused.
> 
>  Hi!
> 
> Just to double-check: Did you compile your QEMU with address sanitizer
> enabled? Otherwise you might not see the issue when running the reproducer.

Hi, and thanks a lot for your answer!

Yes, I am building QEMU with address sanitizer enabled. I am getting
this only ASAN-related warning when running the reproducer:

==8384==WARNING: ASan doesn't fully support makecontext/swapcontext functions 
and may produce false positives in some cases!

And by your message, I am assuming you are still able to reproduce it.
Please, correct me if I am wrong. I am giving another try to see if I
can get "better" results.

> 
>  Thomas
> 
> 
> > To summarise: it OK to affirm QEMU 5.x and older is unaffected by
> > CVE-2024-3446?
> > 
> > Thanks in advance, and happy new year!
> > 
> >   -- Santiago
> 

Thanks,

 -- Santiago

Attachment: signature.asc
Description: PGP signature

Reply via email to