Bug 1958978 (CVE-2021-3546)

Summary: CVE-2021-3546 QEMU: vhost-user-gpu: out-of-bounds write in virgl_cmd_get_capset()
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: berrange, cfergeau, dbecker, jen, jferlan, jforbes, jjoyce, jmaloy, jschluet, knoel, lhh, lpeer, m.a.young, mburns, mkenneth, mrezanin, mst, ondrejj, pbonzini, philmd, ribarry, rjones, sclewis, slinaber, virt-maint, virt-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds write vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU. The flaw occurs while processing the 'VIRTIO_GPU_CMD_GET_CAPSET' command from the guest. It could allow a privileged guest user to crash the QEMU process on the host, resulting in a denial of service condition, or potential code execution with the privileges of the QEMU process.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-29 09:03:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1959046, 1959061    
Bug Blocks: 1957311, 1959064    

Description Mauro Matteo Cascella 2021-05-10 14:17:13 UTC 
An out-of-bounds write vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU. The flaw exists in virgl_cmd_get_capset() in contrib/vhost-user-gpu/virgl.c and could occur while processing the 'VIRTIO_GPU_CMD_GET_CAPSET' command. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.

This issue is analogous to CVE-2016-10028 in virtio-gpu-3d:
https://bugzilla.redhat.com/show_bug.cgi?id=1406367

Patch series:
https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg04536.html

OOB write in virgl_cmd_get_capset() in virgl.c:
https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg04542.html
Comment 3 Mauro Matteo Cascella 2021-05-10 16:02:29 UTC 
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1959046]
Comment 5 Mauro Matteo Cascella 2021-05-12 17:26:11 UTC 
Statement:

This issue does not affect the versions of `qemu-kvm` as shipped with Red Hat Enterprise Linux 6, 7 and 8, as Virgl was not enabled in these versions. Support for Virgl was enabled as technical preview in Red Hat Enterprise Linux Advanced Virtualization 8.2, and later disabled in Red Hat Enterprise Linux Advanced Virtualization 8.3.
Comment 6 Mauro Matteo Cascella 2021-05-12 17:29:19 UTC 
For more information about Virgl support in RHEL Advanced Virtualization, please refer to the following bugs:
* [RFE] Enable virgl as TechPreview (qemu) [bz#1559740]
* Drop virgil acceleration support and remove virglrenderer dependency [bz#1831271]
Comment 7 Mauro Matteo Cascella 2021-05-31 10:49:19 UTC 
Upstream commit:
https://gitlab.com/qemu-project/qemu/-/commit/9f22893a
Comment 8 Mauro Matteo Cascella 2021-06-15 10:34:38 UTC 
While QEMU is an essential component in virtualization environments, it is not intended to be used directly on RHEL 8 systems, due to security concerns. Therefore, using qemu-* commands is not supported by Red Hat, and it is highly recommended to interact with QEMU using libvirt. Several isolation mechanisms are available to realize guest isolation and the principle of least privilege. The fundamental isolation mechanism is that QEMU processes must run as unprivileged users. Also, the libvirtd daemon sets up additional sandbox around QEMU using SELinux and sVirt protection for QEMU VMs, which further limit the potential damage in case of guest-to-host escape scenario. The impact of this flaw is hence limited under such circumstances.