Bug 1924601 (CVE-2021-20221) - CVE-2021-20221 qemu: out-of-bound heap buffer access via an interrupt ID field
Summary: CVE-2021-20221 qemu: out-of-bound heap buffer access via an interrupt ID field
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-20221
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1924602 1925428 1925430 1925431 1925432 1926168 1928976 1928977 1936948 1952986
Blocks: 1924594 1924605
TreeView+ depends on / blocked
 
Reported: 2021-02-03 09:48 UTC by Marian Rehak
Modified: 2021-08-10 13:50 UTC (History)
30 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds heap buffer access issue was found in the ARM Generic Interrupt Controller emulator of QEMU on aarch64 platform. The issue occurs because while writing an interrupt ID to the controller memory area, it is not masked to be 4 bits wide. It may lead to the said issue while updating controller state fields and their subsequent processing. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario.
Clone Of:
Environment:
Last Closed: 2021-04-08 17:35:10 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:2521 0 None None None 2021-06-22 14:13:53 UTC
Red Hat Product Errata RHSA-2021:3061 0 None None None 2021-08-10 13:50:22 UTC

Description Marian Rehak 2021-02-03 09:48:52 UTC 
An out-of-bound heap buffer access via an interrupt ID field resulting from undefined behaviour. The Interrupt ID of the SGI to forward to the specified CPU interfaces. The value of this field is the Interrupt ID, in the range 0-15, for example a value of 0b0011 specifies Interrupt ID 3.

It requires unusual kernel start-up with 'kernel-irqchip=off'.

This issue does not affect default configuration ie. kernel-irqchip=on.

Upstream patch:
---------------
  -> https://gitlab.com/qemu-project/qemu/-/commit/edfe2eb4360cde4ed5d95bda7777edcb3510f76a
Comment 1 Marian Rehak 2021-02-03 09:49:29 UTC 
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1924602]
Comment 2 Philippe Mathieu-Daudé 2021-02-03 14:42:32 UTC 
Upstream fix:
https://gitlab.com/qemu-project/qemu/-/commit/edfe2eb4360cde4ed5d95bda7777edcb3510f76a
Comment 3 Prasad Pandit 2021-02-05 07:08:37 UTC 
External References:

https://bugs.launchpad.net/qemu/+bug/1914353
https://www.openwall.com/lists/oss-security/2021/02/05/1
Comment 9 Prasad Pandit 2021-02-05 08:21:29 UTC 
Statement:

This issue does not affect the versions of the qemu-kvm package as shipped with the Red Hat Enterprise Linux 5 and 6.
This issue affects versions of the qemu-kvm-rhev package as shipped with Red Hat Enterprise Linux 7 and qemu-kvm package as shipped with the Red Hat Enterprise Linux 8. Future package updates may address this issue for Red Hat Enterprise Linux 7 and 8.
Comment 15 errata-xmlrpc 2021-04-07 08:16:06 UTC 
This issue has been addressed in the following products:

  Advanced Virtualization for RHEL 8.3.1

Via RHSA-2021:1125 https://access.redhat.com/errata/RHSA-2021:1125
Comment 16 Product Security DevOps Team 2021-04-08 17:35:10 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-20221
Comment 17 errata-xmlrpc 2021-06-22 14:13:42 UTC 
This issue has been addressed in the following products:

  Advanced Virtualization for RHEL 8.2.1

Via RHSA-2021:2521 https://access.redhat.com/errata/RHSA-2021:2521
Comment 18 errata-xmlrpc 2021-08-10 13:50:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:3061 https://access.redhat.com/errata/RHSA-2021:3061
Note You need to log in before you can comment on or make changes to this bug.