Bug 1927007 (CVE-2021-20181)

Summary: CVE-2021-20181 qemu: 9pfs: TOCTOU privilege escalation vulnerability
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: berrange, cfergeau, dbecker, dblechte, dfediuck, eedri, itamar, jen, jferlan, jjoyce, jmaloy, jschluet, knoel, lhh, lkundrak, lpeer, mburns, mgoldboi, michal.skrivanek, mkenneth, mrezanin, mst, ondrejj, pbonzini, philmd, ribarry, rjones, sbonazzo, sclewis, sherold, slinaber, virt-maint, virt-maint, yturgema
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A race condition flaw was found in the 9pfs server implementation of QEMU. This flaw allows a malicious 9p client to cause a use-after-free error, potentially escalating their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-10 10:09:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1927009, 1927008    
Bug Blocks: 1927010, 1928051    

Description Guilherme de Almeida Suckevicz 2021-02-09 20:14:51 UTC 
A flaw was found in QEMU in the way it handles a list of open file descriptors. Improper synchronization of this list can lead to a use-after-free.

Reference:
https://bugs.launchpad.net/qemu/+bug/1911666

Upstream patch:
https://git.qemu.org/?p=qemu.git;a=commit;h=89fbea8737e8f7b954745a1ffc4238d377055305
Comment 1 Guilherme de Almeida Suckevicz 2021-02-09 20:15:23 UTC 
Created qemu tracking bugs for this issue:

Affects: epel-7 [bug 1927009]
Affects: fedora-all [bug 1927008]
Comment 2 Mauro Matteo Cascella 2021-02-10 09:51:35 UTC 
External References:

https://bugs.launchpad.net/qemu/+bug/1911666
Comment 3 Product Security DevOps Team 2021-02-10 10:09:44 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-20181
Comment 4 Mauro Matteo Cascella 2021-02-10 10:46:44 UTC 
Statement:

This issue does not affect the versions of `qemu-kvm` as shipped with Red Hat products, as they do not include support for the virtio 9p backend.