Bug 2021869 (CVE-2021-3947)

Summary: CVE-2021-3947 QEMU: NVMe: out-of-bounds memory read in nvme_changed_nslist
Product: [Other] Security Response Reporter: msiddiqu
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: berrange, cfergeau, crobinso, dbecker, jen, jferlan, jforbes, jjoyce, jmaloy, jschluet, knoel, lhh, lkundrak, lpeer, m.a.young, mburns, mkenneth, mrezanin, mst, ondrejj, pbonzini, philmd, ribarry, rjones, sclewis, security-response-team, slinaber, virt-maint, virt-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: qemu-kvm 6.2.0-rc2 Doc Type: If docs needed, set a value
Doc Text:
A stack-buffer-overflow was found in QEMU in the NVME component. The flaw lies in nvme_changed_nslist() where a malicious guest controlling certain input can read out of bounds memory. A malicious user could use this flaw leading to disclosure of sensitive information.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-10 18:27:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2022084, 2022085    
Bug Blocks: 2018537, 2022398    

Description msiddiqu 2021-11-10 11:13:12 UTC 
A stack buffer overflow flaw was found in NVME in QEMU. The flaw lies in hw/nvme/ctrl.c:nvme_changed_nslist() where a variable named off (Log Page offset) is controlled by guest which if set to bigger than 4096 could lead to an integer underflow. Another variable buf_len can also be partially controlled by the guest which would lead to a stack buffer overflow. Since this flaw allows an attacker to read out of bounds memory it could lead to disclosure of sensitive information.
Comment 1 gkamathe 2021-11-10 18:04:47 UTC 
Created qemu tracking bugs for this issue:

Affects: epel-7 [bug 2022084]
Affects: fedora-all [bug 2022085]
Comment 4 Philippe Mathieu-Daudé 2021-11-11 15:47:13 UTC 
(In reply to msiddiqu from comment #0)
> A stack overflow flaw was found in NVME in QEMU. The flaw lies in
> hw/nvme/ctrl.c:nvme_changed_nslist() where a variable named off (Log Page
> offset) is controlled by guest which if set to bigger than 4096 could lead
> to an integer underflow. Another variable buf_len can also be partially
> controlled by the guest which would lead to a stack buffer overflow. Since
> this flaw allows an attacker to read out of bounds memory it could lead to
> disclosure of sensitive information.

Proposed upstream patch:
https://lore.kernel.org/qemu-devel/20211111153125.2258176-1-philmd@redhat.com/
Comment 8 Philippe Mathieu-Daudé 2021-11-17 15:46:16 UTC 
Likely final upstream fix (v3):
https://lore.kernel.org/qemu-devel/20211117132335.41850-1-its@irrelevant.dk/
Comment 10 Philippe Mathieu-Daudé 2021-11-19 12:37:37 UTC 
Fixed upstream by https://gitlab.com/qemu-project/qemu/-/commit/e2c57529c9306e4