mirror of
https://git.yoctoproject.org/poky
synced 2026-05-09 17:39:31 +00:00
Divya Chellam
e0736e9b27
A double free vulnerability was found in QEMU virtio devices (virtio-gpu, virtio-serial-bus, virtio-crypto), where the mem_reentrancy_guard flag insufficiently protects against DMA reentrancy issues. This issue could allow a malicious privileged guest to crash the QEMU process on the host, resulting in a d enial of service or allow arbitrary code execution within the context of the QEMU process on the host. CVE-2024-3446-0004, CVE-2024-3446-0005, CVE-2024-3446-0006 are CVE fix and CVE-2024-3446-0001, CVE-2024-3446-0002, CVE-2024-3446-0003 are dependent commits to fix the CVE. References: https://nvd.nist.gov/vuln/detail/CVE-2024-3446 Upstream patches: https://gitlab.com/qemu-project/qemu/-/commit/9c86c97f12c060bf7484dd931f38634e166a81f0 https://gitlab.com/qemu-project/qemu/-/commit/f63192b0544af5d3e4d5edfd85ab520fcf671377 https://gitlab.com/qemu-project/qemu/-/commit/ec0504b989ca61e03636384d3602b7bf07ffe4da https://gitlab.com/qemu-project/qemu/-/commit/ba28e0ff4d95b56dc334aac2730ab3651ffc3132 https://gitlab.com/qemu-project/qemu/-/commit/b4295bff25f7b50de1d9cc94a9c6effd40056bca https://gitlab.com/qemu-project/qemu/-/commit/f4729ec39ad97a42ceaa7b5697f84f440ea6e5dc (From OE-Core rev: db7e3a56656db0bc61ec2e35ccc149e9b90a389b) Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>