CVE-2022-2962 - OpenCVE

A DMA reentrancy issue was found in the Tulip device emulation in QEMU. When Tulip reads or writes to the rx/tx descriptor or copies the rx/tx frame, it doesn't check whether the destination address is its own MMIO address. This can cause the device to trigger MMIO handlers multiple times, possibly leading to a stack or heap overflow. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Qemu	Qemu

Configuration 1 [-]

cpe:2.3:a:qemu:qemu:*:*:*:*:*:*:*:*

References

Link	Resource
https://gitlab.com/qemu-project/qemu/-/commit/36a894aeb64a2e02871016da1c37d4a4ca109182	Patch Third Party Advisory
https://gitlab.com/qemu-project/qemu/-/issues/1171	Exploit Issue Tracking Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: redhat

Published: 2022-09-13T19:18:14

Updated: 2022-09-13T19:18:14

Reserved: 2022-08-23T00:00:00

Link: CVE-2022-2962

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-09-13T20:15:09.640

Modified: 2023-06-28T20:40:49.643

Link: CVE-2022-2962

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "QEMU", "vendor": "n/a", "versions": [{"status": "affected", "version": "Will be fixed in QEMU 7.2.0-rc0"}]}], "descriptions": [{"lang": "en", "value": "A DMA reentrancy issue was found in the Tulip device emulation in QEMU. When Tulip reads or writes to the rx/tx descriptor or copies the rx/tx frame, it doesn't check whether the destination address is its own MMIO address. This can cause the device to trigger MMIO handlers multiple times, possibly leading to a stack or heap overflow. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-09-13T19:18:14", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://gitlab.com/qemu-project/qemu/-/issues/1171"}, {"tags": ["x_refsource_MISC"], "url": "https://gitlab.com/qemu-project/qemu/-/commit/36a894aeb64a2e02871016da1c37d4a4ca109182"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2022-2962", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "QEMU", "version": {"version_data": [{"version_value": "Will be fixed in QEMU 7.2.0-rc0"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A DMA reentrancy issue was found in the Tulip device emulation in QEMU. When Tulip reads or writes to the rx/tx descriptor or copies the rx/tx frame, it doesn't check whether the destination address is its own MMIO address. This can cause the device to trigger MMIO handlers multiple times, possibly leading to a stack or heap overflow. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-400"}]}]}, "references": {"reference_data": [{"name": "https://gitlab.com/qemu-project/qemu/-/issues/1171", "refsource": "MISC", "url": "https://gitlab.com/qemu-project/qemu/-/issues/1171"}, {"name": "https://gitlab.com/qemu-project/qemu/-/commit/36a894aeb64a2e02871016da1c37d4a4ca109182", "refsource": "MISC", "url": "https://gitlab.com/qemu-project/qemu/-/commit/36a894aeb64a2e02871016da1c37d4a4ca109182"}]}}}}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2022-2962", "datePublished": "2022-09-13T19:18:14", "dateReserved": "2022-08-23T00:00:00", "dateUpdated": "2022-09-13T19:18:14", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:qemu:qemu:*:*:*:*:*:*:*:*", "matchCriteriaId": "F175C5B0-1BE3-4901-8677-35E1F3FCBBA3", "versionEndIncluding": "7.1.0", "versionStartIncluding": "4.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A DMA reentrancy issue was found in the Tulip device emulation in QEMU. When Tulip reads or writes to the rx/tx descriptor or copies the rx/tx frame, it doesn't check whether the destination address is its own MMIO address. This can cause the device to trigger MMIO handlers multiple times, possibly leading to a stack or heap overflow. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition."}, {"lang": "es", "value": "Se encontr\u00f3 un problema de reentrada DMA en la emulaci\u00f3n del dispositivo Tulip en QEMU. Cuando Tulip lee o escribe en el descriptor rx/tx o copia la trama rx/tx, no comprueba si la direcci\u00f3n de destino es su propia direcci\u00f3n MMIO. Esto puede causar a el dispositivo disparar los manejadores MMIO m\u00faltiples veces, posiblemente conllevando a un desbordamiento de la pila (stack, heap). Un hu\u00e9sped malicioso podr\u00eda usar este fallo para bloquear el proceso QEMU en el host, resultando en una condici\u00f3n de denegaci\u00f3n de servicio"}], "id": "CVE-2022-2962", "lastModified": "2023-06-28T20:40:49.643", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-09-13T20:15:09.640", "references": [{"source": "secalert@redhat.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://gitlab.com/qemu-project/qemu/-/commit/36a894aeb64a2e02871016da1c37d4a4ca109182"}, {"source": "secalert@redhat.com", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://gitlab.com/qemu-project/qemu/-/issues/1171"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-662"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "secalert@redhat.com", "type": "Secondary"}]}