QEMU Security Notice: QSN-2018-003 ================================== Summary: Multiboot out of bounds loading kernel Reported on: 20180221 Published on: 20180227 Fixed on: 20180328 Reported by: <> Patched by: <> See also: CVE-2018-7550 Description ----------- Quick Emulator(QEMU) built with the PC System Emulator with multiboot feature support is vulnerable to an OOB memory access issue. It could occur while loading a kernel image during a guest boot if multiboot head addresses mh_load_end_addr was greater than mh_bss_end_addr. Impact ------ A user/process could use this flaw to potentially achieve arbitrary code execution on a host. Mitigation ---------- Do not use the -kernel argument to QEMU for providing the boot kernel. Allow the guest firmware and bootloader (eg grub) to load the boot kernel from inside the confined guest execution environment Related commits ---------------- git://git.qemu.org/qemu.git https://git.qemu.org/?p=qemu.git Branch: master Broken in: v1.0 Broken in: v1.1.0 Broken in: v1.2.0 Broken in: v1.3.0 Broken in: v1.4.0 Broken in: v1.5.0 Broken in: v1.6.0 Broken in: v1.7.0 Broken in: v2.0.0 Broken in: v2.1.0 Broken in: v2.2.0 Broken in: v2.3.0 Broken in: v2.4.0 Broken in: v2.5.0 Broken in: v2.6.0 Broken in: v2.7.0 Broken in: v2.8.0 Broken in: v2.9.0 Broken in: v2.10.0 Broken in: v2.11.0 Fixed in: v2.12.0 Broken by: 6b8273a1b97876950d91c228a420a851e10e12bb Fixed by: 2a8fcd119eb7c6bb3837fc3669eb1b2dfb31daf8 Branch: stable-1.0 Broken in: v1.0.1 Broken by: 6b8273a1b97876950d91c228a420a851e10e12bb Branch: stable-1.1 Broken in: v1.1.1 Broken in: v1.1.2 Broken by: 6b8273a1b97876950d91c228a420a851e10e12bb Branch: stable-1.2 Broken in: v1.2.1 Broken in: v1.2.2 Broken by: 6b8273a1b97876950d91c228a420a851e10e12bb Branch: stable-1.3 Broken in: v1.3.1 Broken by: 6b8273a1b97876950d91c228a420a851e10e12bb Branch: stable-1.4 Broken in: v1.4.1 Broken in: v1.4.2 Broken by: 6b8273a1b97876950d91c228a420a851e10e12bb Branch: stable-1.5 Broken in: v1.5.1 Broken in: v1.5.2 Broken in: v1.5.3 Broken by: 6b8273a1b97876950d91c228a420a851e10e12bb Branch: stable-1.6 Broken in: v1.6.1 Broken in: v1.6.2 Broken by: 6b8273a1b97876950d91c228a420a851e10e12bb Branch: stable-1.7 Broken in: v1.7.1 Broken in: v1.7.2 Broken by: 6b8273a1b97876950d91c228a420a851e10e12bb Branch: stable-2.0 Broken in: v2.0.1 Broken in: v2.0.2 Broken by: 6b8273a1b97876950d91c228a420a851e10e12bb Branch: stable-2.1 Broken in: v2.1.1 Broken in: v2.1.2 Broken in: v2.1.3 Broken by: 6b8273a1b97876950d91c228a420a851e10e12bb Branch: stable-2.2 Broken in: v2.2.1 Broken by: 6b8273a1b97876950d91c228a420a851e10e12bb Branch: stable-2.3 Broken in: v2.3.1 Broken by: 6b8273a1b97876950d91c228a420a851e10e12bb Branch: stable-2.4 Broken in: v2.4.0.1 Broken in: v2.4.1 Broken by: 6b8273a1b97876950d91c228a420a851e10e12bb Branch: stable-2.5 Broken in: v2.5.1 Broken in: v2.5.1.1 Broken by: 6b8273a1b97876950d91c228a420a851e10e12bb Branch: stable-2.6 Broken in: v2.6.1 Broken in: v2.6.2 Broken by: 6b8273a1b97876950d91c228a420a851e10e12bb Branch: stable-2.7 Broken in: v2.7.1 Broken by: 6b8273a1b97876950d91c228a420a851e10e12bb Branch: stable-2.8 Broken in: v2.8.1 Broken in: v2.8.1.1 Broken by: 6b8273a1b97876950d91c228a420a851e10e12bb Branch: stable-2.9 Broken in: v2.9.1 Broken by: 6b8273a1b97876950d91c228a420a851e10e12bb Branch: stable-2.10 Broken in: v2.10.1 Broken in: v2.10.2 Broken by: 6b8273a1b97876950d91c228a420a851e10e12bb Branch: stable-2.11 Broken in: v2.11.1 Broken in: v2.11.2 Broken by: 6b8273a1b97876950d91c228a420a851e10e12bb