Bug 1966266 (CVE-2021-3582)

Summary: CVE-2021-3582 QEMU: pvrdma: unproperly mremap in pvrdma_map_to_pdir()
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: berrange, cfergeau, dbecker, jen, jferlan, jforbes, jjoyce, jmaloy, jschluet, knoel, lhh, lpeer, m.a.young, mburns, mkenneth, mrezanin, mst, ondrejj, pbonzini, philmd, ribarry, rjones, sclewis, security-response-team, slinaber, virt-maint, virt-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: qemu 2.17.2 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. The issue occurs while handling a "PVRDMA_CMD_CREATE_MR" command due to improper memory remapping (mremap). This flaw allows a malicious guest to crash the QEMU process on the host. The highest threat from this vulnerability is to system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-06-17 15:05:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1973144    
Bug Blocks: 1962562, 1968395    

Description Pedro Sampaio 2021-05-31 18:31:59 UTC 
A flaw was found in QEMU. Because pvrdma unproperly mremap, a VM escape may be caused.
Comment 1 Mauro Matteo Cascella 2021-06-04 11:17:20 UTC 
The flaw exists in pvrdma_map_to_pdir() in hw/rdma/vmw/pvrdma_cmd.c. It could occur while handling a 'PVRDMA_CMD_CREATE_MR' command through create_mr() handler, which ultimately calls pvrdma_map_to_pdir. There, mmerap() is called repeatedly in a while loop without properly checking whether the location of the new mapping exceeds a previously remapped memory region.

static void *pvrdma_map_to_pdir(...)
{
    ....
    curr_page = rdma_pci_dma_map(pdev, (dma_addr_t)tbl[0], TARGET_PAGE_SIZE);
    ...
    host_virt = mremap(curr_page, 0, length, MREMAP_MAYMOVE);
    ...
    addr_idx = 1;
    while (addr_idx < nchunks) { // nchunks may be > length/TARGET_PAGE_SIZE
    ...
        mremap(curr_page, 0, TARGET_PAGE_SIZE, MREMAP_MAYMOVE | MREMAP_FIXED,
               host_virt + TARGET_PAGE_SIZE * addr_idx); // may remap after host_virt + length
    ...
    addr_idx++;
}
Comment 4 Mauro Matteo Cascella 2021-06-17 10:30:17 UTC 
Upstream fix:
https://lists.nongnu.org/archive/html/qemu-devel/2021-06/msg04148.html
Comment 5 Mauro Matteo Cascella 2021-06-17 10:31:12 UTC 
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1973144]
Comment 6 Product Security DevOps Team 2021-06-17 15:05:24 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3582