Bug 2021869 (CVE-2021-3947)
Summary: | CVE-2021-3947 QEMU: NVMe: out-of-bounds memory read in nvme_changed_nslist | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | msiddiqu |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | berrange, cfergeau, crobinso, dbecker, jen, jferlan, jforbes, jjoyce, jmaloy, jschluet, knoel, lhh, lkundrak, lpeer, m.a.young, mburns, mkenneth, mrezanin, mst, ondrejj, pbonzini, philmd, ribarry, rjones, sclewis, security-response-team, slinaber, virt-maint, virt-maint |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | qemu-kvm 6.2.0-rc2 | Doc Type: | If docs needed, set a value |
Doc Text: |
A stack-buffer-overflow was found in QEMU in the NVME component. The flaw lies in nvme_changed_nslist() where a malicious guest controlling certain input can read out of bounds memory. A malicious user could use this flaw leading to disclosure of sensitive information.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-11-10 18:27:50 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2022084, 2022085 | ||
Bug Blocks: | 2018537, 2022398 |
Description
msiddiqu
2021-11-10 11:13:12 UTC
Created qemu tracking bugs for this issue: Affects: epel-7 [bug 2022084] Affects: fedora-all [bug 2022085] (In reply to msiddiqu from comment #0) > A stack overflow flaw was found in NVME in QEMU. The flaw lies in > hw/nvme/ctrl.c:nvme_changed_nslist() where a variable named off (Log Page > offset) is controlled by guest which if set to bigger than 4096 could lead > to an integer underflow. Another variable buf_len can also be partially > controlled by the guest which would lead to a stack buffer overflow. Since > this flaw allows an attacker to read out of bounds memory it could lead to > disclosure of sensitive information. Proposed upstream patch: https://lore.kernel.org/qemu-devel/20211111153125.2258176-1-philmd@redhat.com/ Likely final upstream fix (v3): https://lore.kernel.org/qemu-devel/20211117132335.41850-1-its@irrelevant.dk/ Fixed upstream by https://gitlab.com/qemu-project/qemu/-/commit/e2c57529c9306e4 |