OpenCVE

A DMA reentrancy issue was found in the Tulip device emulation in QEMU. When Tulip reads or writes to the rx/tx descriptor or copies the rx/tx frame, it doesn't check whether the destination address is its own MMIO address. This can cause the device to trigger MMIO handlers multiple times, possibly leading to a stack or heap overflow. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Qemu	Qemu

Configuration 1 [-]

cpe:2.3:a:qemu:qemu:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://gitlab.com/qemu-project/qemu/-/commit/36a894aeb64a2e02871016da1c37d4a4ca109182
https://gitlab.com/qemu-project/qemu/-/issues/1171
https://nvd.nist.gov/vuln/detail/CVE-2022-2962
https://www.cve.org/CVERecord?id=CVE-2022-2962

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2022-09-13T19:18:14

Updated: 2024-08-22T03:55:11.563Z

Reserved: 2022-08-23T00:00:00

Link: CVE-2022-2962

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-09-13T20:15:09.640

Modified: 2023-06-28T20:40:49.643

Link: CVE-2022-2962

Redhat

Severity : Low

Publid Date: 2022-08-23T00:00:00Z

Links: CVE-2022-2962 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "QEMU", "vendor": "n/a", "versions": [{"status": "affected", "version": "Will be fixed in QEMU 7.2.0-rc0"}]}], "descriptions": [{"lang": "en", "value": "A DMA reentrancy issue was found in the Tulip device emulation in QEMU. When Tulip reads or writes to the rx/tx descriptor or copies the rx/tx frame, it doesn't check whether the destination address is its own MMIO address. This can cause the device to trigger MMIO handlers multiple times, possibly leading to a stack or heap overflow. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-09-13T19:18:14", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://gitlab.com/qemu-project/qemu/-/issues/1171"}, {"tags": ["x_refsource_MISC"], "url": "https://gitlab.com/qemu-project/qemu/-/commit/36a894aeb64a2e02871016da1c37d4a4ca109182"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2022-2962", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "QEMU", "version": {"version_data": [{"version_value": "Will be fixed in QEMU 7.2.0-rc0"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A DMA reentrancy issue was found in the Tulip device emulation in QEMU. When Tulip reads or writes to the rx/tx descriptor or copies the rx/tx frame, it doesn't check whether the destination address is its own MMIO address. This can cause the device to trigger MMIO handlers multiple times, possibly leading to a stack or heap overflow. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-400"}]}]}, "references": {"reference_data": [{"name": "https://gitlab.com/qemu-project/qemu/-/issues/1171", "refsource": "MISC", "url": "https://gitlab.com/qemu-project/qemu/-/issues/1171"}, {"name": "https://gitlab.com/qemu-project/qemu/-/commit/36a894aeb64a2e02871016da1c37d4a4ca109182", "refsource": "MISC", "url": "https://gitlab.com/qemu-project/qemu/-/commit/36a894aeb64a2e02871016da1c37d4a4ca109182"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T00:53:00.431Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://gitlab.com/qemu-project/qemu/-/issues/1171"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://gitlab.com/qemu-project/qemu/-/commit/36a894aeb64a2e02871016da1c37d4a4ca109182"}]}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-21T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2022-2962"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-22T03:55:11.563Z"}}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2022-2962", "datePublished": "2022-09-13T19:18:14", "dateReserved": "2022-08-23T00:00:00", "dateUpdated": "2024-08-22T03:55:11.563Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:qemu:qemu:*:*:*:*:*:*:*:*", "matchCriteriaId": "F175C5B0-1BE3-4901-8677-35E1F3FCBBA3", "versionEndIncluding": "7.1.0", "versionStartIncluding": "4.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A DMA reentrancy issue was found in the Tulip device emulation in QEMU. When Tulip reads or writes to the rx/tx descriptor or copies the rx/tx frame, it doesn't check whether the destination address is its own MMIO address. This can cause the device to trigger MMIO handlers multiple times, possibly leading to a stack or heap overflow. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition."}, {"lang": "es", "value": "Se encontr\u00f3 un problema de reentrada DMA en la emulaci\u00f3n del dispositivo Tulip en QEMU. Cuando Tulip lee o escribe en el descriptor rx/tx o copia la trama rx/tx, no comprueba si la direcci\u00f3n de destino es su propia direcci\u00f3n MMIO. Esto puede causar a el dispositivo disparar los manejadores MMIO m\u00faltiples veces, posiblemente conllevando a un desbordamiento de la pila (stack, heap). Un hu\u00e9sped malicioso podr\u00eda usar este fallo para bloquear el proceso QEMU en el host, resultando en una condici\u00f3n de denegaci\u00f3n de servicio"}], "id": "CVE-2022-2962", "lastModified": "2023-06-28T20:40:49.643", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-09-13T20:15:09.640", "references": [{"source": "secalert@redhat.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://gitlab.com/qemu-project/qemu/-/commit/36a894aeb64a2e02871016da1c37d4a4ca109182"}, {"source": "secalert@redhat.com", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://gitlab.com/qemu-project/qemu/-/issues/1171"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-662"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank Siqi Chen (Shanghai Jiaotong University) and Zheyu Ma for reporting this issue.", "bugzilla": {"description": "QEMU: tulip: DMA reentrancy issue leads to stack or heap overflow", "id": "2120631", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2120631"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-662", "details": ["A DMA reentrancy issue was found in the Tulip device emulation in QEMU. When Tulip reads or writes to the rx/tx descriptor or copies the rx/tx frame, it doesn't check whether the destination address is its own MMIO address. This can cause the device to trigger MMIO handlers multiple times, possibly leading to a stack or heap overflow. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.", "A DMA reentrancy issue was found in the Tulip device emulation in QEMU. When Tulip reads or writes to the rx/tx descriptor or copies the rx/tx frame, it doesn't check whether the destination address is its MMIO address. This issue can cause the device to trigger MMIO handlers multiple times, possibly leading to a stack or heap overflow. This flaw allows a malicious guest to crash the QEMU process on the host, resulting in a denial of service condition."], "name": "CVE-2022-2962", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "qemu-kvm", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "qemu-kvm", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "qemu-kvm-ma", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "virt:rhel/qemu-kvm", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:advanced_virtualization:8::el8", "fix_state": "Not affected", "package_name": "virt:8.2/qemu-kvm", "product_name": "Red Hat Enterprise Linux 8 Advanced Virtualization"}, {"cpe": "cpe:/a:redhat:advanced_virtualization:8::el8", "fix_state": "Not affected", "package_name": "virt:av/qemu-kvm", "product_name": "Red Hat Enterprise Linux 8 Advanced Virtualization"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "qemu-kvm", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Not affected", "package_name": "qemu-kvm-rhev", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}], "public_date": "2022-08-23T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-2962\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-2962"], "statement": "The `qemu-kvm` packages as shipped with Red Hat Enterprise Linux 8 Advanced Virtualization and Red Hat Enterprise Linux 6, 7, 8 are not affected by this issue as the Tulip NIC device is not included.", "threat_severity": "Low", "upstream_fix": "qemu 7.2.0-rc0"}