CVE-2023-6693: Qemu: virtio-net: stack buffer overflow in virtio_net_flush_tx()

First published: Thu Dec 14 2023(Updated: )

A stack based buffer overflow was found in the virtio-net device of QEMU. The flaw occurs while copying data to mhdr, a local variable of type virtio_net_hdr_mrg_rxbuf, when flushing TX in the virtio_net_flush_tx function. If guest features VIRTIO_NET_F_HASH_REPORT, VIRTIO_F_VERSION_1 and VIRTIO_NET_F_MRG_RXBUF are enabled, `n->guest_hdr_len` is set to sizeof(struct virtio_net_hdr_v1_hash), which is bigger than sizeof(virtio_net_hdr_mrg_rxbuf). This vulnerability could potentially allow a malicious user to overwrite local variables adjacent to mhdr allocated on the stack. Specifically, the out_sg variable could be used to read some part of process memory and send it to the wire: ret = qemu_sendv_packet_async(qemu_get_subqueue(n->nic, queue_index), out_sg, out_num, virtio_net_tx_complete);

Credit: secalert@redhat.com

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• agent/type
• agent/first-publish-date
• agent/remedy
• agent/severity
• agent/title
• agent/weakness
• agent/author
• agent/description
• collector/epss-latest
• source/FIRST
• agent/epss
• collector/redhat-bugzilla
• source/Red Hat
• alias/CVE-2023-6693
• collector/mitre-cve
• source/MITRE
• agent/references
• collector/nvd-api
• source/NVD
• agent/software-canonical-lookup
• agent/last-modified-date
• agent/softwarecombine
• agent/tags
• agent/event
• vendor/qemu
• canonical/qemu qemu
• vendor/redhat
• canonical/redhat enterprise linux
• version/redhat enterprise linux/8.0
• version/redhat enterprise linux/9.0
• vendor/fedoraproject
• canonical/fedoraproject fedora
• version/fedoraproject fedora/39