Bug 1903064 (CVE-2020-28916)

Summary: CVE-2020-28916 QEMU: e1000e: infinite loop scenario in case of null packet descriptor
Product: [Other] Security Response Reporter: Prasad Pandit <ppandit>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: ailan, berrange, cfergeau, dbecker, drjones, imammedo, itamar, jen, jferlan, jforbes, jjoyce, jmaloy, jschluet, knoel, lhh, lpeer, m.a.young, mburns, mcascell, mkenneth, mrezanin, mst, ondrejj, pbonzini, philmd, ribarry, rjones, robinlee.sysu, sclewis, slinaber, virt-maint, virt-maint, vkuznets, xen-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: QEMU 5.2.0 Doc Type: ---
Doc Text:
An infinite loop flaw was found in the e1000e device emulator in QEMU. This issue could occur while receiving packets via the e1000e_write_packet_to_guest() routine, if the receive(RX) descriptor has a NULL buffer address. This flaw allows a privileged guest user to cause a denial of service. The highest threat from this vulnerability is to system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-18 14:37:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1903066, 1903069, 1903070, 1903071, 1910661    
Bug Blocks: 1887771, 1892339    

Description Prasad Pandit 2020-12-01 09:06:30 UTC 
An infinite loop issue was found in the e1000e device emulator in QEMU. The issue could occur while receiving packets via e1000e_write_packet_to_guest() routine, if the receive(RX) descriptor has NULL buffer address. A privileged guest user may use this flaw to induce a DoS scenario in the host.

Upstream patch:
---------------
  -> https://lists.nongnu.org/archive/html/qemu-devel/2020-11/msg03185.html
Comment 1 Prasad Pandit 2020-12-01 09:06:45 UTC 
Acknowledgments:

Name: Cheol-woo Myung
Comment 2 Prasad Pandit 2020-12-01 09:07:44 UTC 
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1903066]
Comment 5 Prasad Pandit 2020-12-01 12:10:42 UTC 
External References:

https://www.openwall.com/lists/oss-security/2020/12/01/2
Comment 6 Mauro Matteo Cascella 2020-12-14 14:11:30 UTC 
*** Bug 1893895 has been marked as a duplicate of this bug. ***
Comment 8 Product Security DevOps Team 2021-05-18 14:37:26 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-28916
Comment 9 errata-xmlrpc 2021-05-18 14:51:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1762 https://access.redhat.com/errata/RHSA-2021:1762