QEMU is a widely used open-source software that provides emulation and virtualization for various platforms, including x86, ARM, POWER, and more. It is commonly used alongside KVM (Kernel Virtual Machine) for enterprise or personal use to manage virtual machines, making it a crucial component of many IT infrastructures.

Recently, two critical vulnerabilities have been discovered in the QEMU emulator, specifically in the ACPI Error Record Serialization Table (ERST) device. These flaws are identified as integer overflow and buffer overflow issues that may affect the read_erst_record() and write_erst_record() functions. This post aims to provide an in-depth look into these vulnerabilities and their potential impact on systems utilizing QEMU as a virtual machine manager.

Description

In the ACPI (Advanced Configuration and Power Interface), the Error Record Serialization Table (ERST) is a structure that provides a standardized method for logging and managing hardware errors. The vulnerabilities discovered affect this table's implementation in the QEMU software.

The issue lies in the read_erst_record() and write_erst_record() functions responsible for reading and writing records in the ERST device's memory. These functions fail to validate the length of user-supplied data correctly, which could lead the guest to overrun the host's buffer allocated for the ERST memory device.

Affected Code Snippet

static uint32_t read_erst_record(...)
{
    ...
    /* Integer Overflow Vulnerability */
    paddr = ((uint64_t)s->base[index].addr_l << 32) |
            s->base[index].addr_h;
    size = s->base[index].len;
    ...
}
static uint32_t write_erst_record(...)
{
    ...
    /* Buffer Overflow Vulnerability */
    paddr = ((uint64_t)s->base[index].addr_l << 32) |
            s->base[index].addr_h;
    size = s->base[index].len;
    ...
}

If a malicious guest manages to exploit these vulnerabilities, it can potentially crash the QEMU process running on the host machine. Moreover, in some circumstances, this might also translate into code execution on the host.

Exploit Details

An attacker would require access to a guest virtual machine running on an affected QEMU version with an emulated ACPI ERST device to exploit these vulnerabilities. By carefully crafting data and its length, the guest can trigger integer and buffer overflows in the read_erst_record() and write_erst_record() functions.

The exploitation would involve manipulating the memory addresses and sizes supplied by the guest in a manner that would trigger the buffer overflow, causing memory corruption on the host. This could ultimately result in a denial of service by crashing the QEMU process, and in some cases, potentially lead to remote code execution.

- The original issue and patches can be found in the QEMU development mailing list

- Integer Overflow: link
 - Buffer Overflow: link

- The official CVE database entry for CVE-2022-4172 can be found at

- CVE-2022-4172

Mitigations

It is highly recommended to update to the latest version of QEMU or apply the patches mentioned in the original references. Regularly update your virtualization software and keep a close eye on security advisories to protect your infrastructure against potential threats.

Conclusion

CVE-2022-4172 highlights the importance of securing virtualization software and ensuring that it is regularly updated to mitigate any potential vulnerabilities in the future. Administrators should make it a priority to deploy patches as soon as they become available, to protect their virtualized environments from potential attacks.

Timeline

Published on: 11/29/2022 18:15:00 UTC
Last modified on: 02/01/2023 16:02:00 UTC