Bug 1924601 (CVE-2021-20221)

Summary: CVE-2021-20221 qemu: out-of-bound heap buffer access via an interrupt ID field
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: berrange, bmasney, cfergeau, dbecker, itamar, jen, jferlan, jforbes, jjoyce, jmaloy, jschluet, knoel, lhh, lpeer, m.a.young, mburns, mcascell, mkenneth, mrezanin, mst, ondrejj, pbonzini, philmd, ribarry, rjones, robinlee.sysu, sclewis, slinaber, virt-maint, virt-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds heap buffer access issue was found in the ARM Generic Interrupt Controller emulator of QEMU on aarch64 platform. The issue occurs because while writing an interrupt ID to the controller memory area, it is not masked to be 4 bits wide. It may lead to the said issue while updating controller state fields and their subsequent processing. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-04-08 17:35:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1924602, 1925428, 1925430, 1925431, 1925432, 1926168, 1928976, 1928977, 1936948, 1952986    
Bug Blocks: 1924594, 1924605    

Description Marian Rehak 2021-02-03 09:48:52 UTC 
An out-of-bound heap buffer access via an interrupt ID field resulting from undefined behaviour. The Interrupt ID of the SGI to forward to the specified CPU interfaces. The value of this field is the Interrupt ID, in the range 0-15, for example a value of 0b0011 specifies Interrupt ID 3.

It requires unusual kernel start-up with 'kernel-irqchip=off'.

This issue does not affect default configuration ie. kernel-irqchip=on.

Upstream patch:
---------------
  -> https://gitlab.com/qemu-project/qemu/-/commit/edfe2eb4360cde4ed5d95bda7777edcb3510f76a
Comment 1 Marian Rehak 2021-02-03 09:49:29 UTC 
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1924602]
Comment 2 Philippe Mathieu-Daudé 2021-02-03 14:42:32 UTC 
Upstream fix:
https://gitlab.com/qemu-project/qemu/-/commit/edfe2eb4360cde4ed5d95bda7777edcb3510f76a
Comment 3 Prasad Pandit 2021-02-05 07:08:37 UTC 
External References:

https://bugs.launchpad.net/qemu/+bug/1914353
https://www.openwall.com/lists/oss-security/2021/02/05/1
Comment 9 Prasad Pandit 2021-02-05 08:21:29 UTC 
Statement:

This issue does not affect the versions of the qemu-kvm package as shipped with the Red Hat Enterprise Linux 5 and 6.
This issue affects versions of the qemu-kvm-rhev package as shipped with Red Hat Enterprise Linux 7 and qemu-kvm package as shipped with the Red Hat Enterprise Linux 8. Future package updates may address this issue for Red Hat Enterprise Linux 7 and 8.
Comment 15 errata-xmlrpc 2021-04-07 08:16:06 UTC 
This issue has been addressed in the following products:

  Advanced Virtualization for RHEL 8.3.1

Via RHSA-2021:1125 https://access.redhat.com/errata/RHSA-2021:1125
Comment 16 Product Security DevOps Team 2021-04-08 17:35:10 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-20221
Comment 17 errata-xmlrpc 2021-06-22 14:13:42 UTC 
This issue has been addressed in the following products:

  Advanced Virtualization for RHEL 8.2.1

Via RHSA-2021:2521 https://access.redhat.com/errata/RHSA-2021:2521
Comment 18 errata-xmlrpc 2021-08-10 13:50:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:3061 https://access.redhat.com/errata/RHSA-2021:3061