CVE-2024-26328 - QEMU 7.1. to 8.2.1 Vulnerability Found in hw/pci/pcie_sriov.c and hw/nvme/ctrl.c

A new vulnerability (CVE-2024-26328) has been discovered, affecting QEMU (Quick Emulator) versions 7.1. through 8.2.1. The issue resides in the register_vfs function in hw/pci/pcie_sriov.c, where NumVFs is not set to PCI_SRIOV_TOTAL_VF, resulting in a mishandled interaction with the hw/nvme/ctrl.c file. QEMU is widely used as a free and open-source hypervisor that can run multiple virtual machines (guest systems) on a single host. This vulnerability threatens the security and stability of the underlying systems due to improper handling of the NumVFs variable.

The vulnerable code can be found in the hw/pci/pcie_sriov.c file

static int register_vfs(PCIDevice *dev)
{
    /* some code */
    sriov->numvfs = sriov->pos - sizeof(struct virtfn_desc);
    /* The problem: NumVFs should be set to PCI_SRIOV_TOTAL_VF value below */
    pcie_endpoint_cap_vfs(sriov->parent, sriov->numvfs);
    /* some more code */
}

Exploit Details

Upon further analysis of the code, it's clear that the register_vfs function doesn't properly set the NumVFs variable to the PCI_SRIOV_TOTAL_VF value. This oversight causes subsequent interactions with the hw/nvme/ctrl.c to be incorrectly handled, which can potentially lead to various issues, such as memory corruption or incorrect behavior of the QEMU virtual machines.

Here's a possible fix for the code snippet

static int register_vfs(PCIDevice *dev)
{
    /* some code */
    sriov->numvfs = sriov->pos - sizeof(struct virtfn_desc);
    /* The fix: Set NumVFs to the correct value of PCI_SRIOV_TOTAL_VF */
    pcie_endpoint_cap_vfs(sriov->parent, PCI_SRIOV_TOTAL_VF);
    /* some more code */
}

Original References

1. QEMU: Homepage - https://www.qemu.org/
2. QEMU Source Code - https://git.qemu.org/?p=qemu.git;a=tree
3. Commit fixing the vulnerability - https://git.qemu.org/?p=qemu.git;a=commit;h=f5f48755c4473b034b5f2267d2824842698d6e94
4. MITRE CVE-2024-26328 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26328
5. NVD CVE-2024-26328 - https://nvd.nist.gov/vuln/detail/CVE-2024-26328

Conclusion

The discovered issue CVE-2024-26328 in QEMU versions 7.1. to 8.2.1 poses a significant threat to systems relying on QEMU virtualization. It is crucial to apply patches or update to the latest version to mitigate this vulnerability. Developers should pay close attention to the interaction of different components within their systems to avoid similar issues in the future.

Timeline

Published on: 02/19/2024 05:15:26 UTC
Last modified on: 04/19/2024 07:15:09 UTC