Bug 1970484 (CVE-2021-3592)

Summary: CVE-2021-3592 QEMU: slirp: invalid pointer initialization may lead to information disclosure (bootp)
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: berrange, cfergeau, dbecker, jen, jferlan, jjoyce, jmaloy, jnovy, jschluet, knoel, lhh, lpeer, marcandre.lureau, mburns, mkenneth, mrezanin, mst, ondrejj, pbonzini, philmd, ribarry, rjones, sclewis, security-response-team, slinaber, virt-maint, virt-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libslirp 4.6.0 Doc Type: If docs needed, set a value
Doc Text:
An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the bootp_input() function and could occur while processing a udp packet that is smaller than the size of the 'bootp_t' structure. A malicious guest could use this flaw to leak 10 bytes of uninitialized heap memory from the host. The highest threat from this vulnerability is to data confidentiality.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-09 22:54:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1970819, 1970820, 1970821, 1970822, 1970823, 1970824, 1970825, 1970826, 1972244, 1972246, 1972249    
Bug Blocks: 1969478, 1970557    

Description Mauro Matteo Cascella 2021-06-10 14:41:36 UTC 
An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The function bootp_input() in src/bootp.c handles requests for the bootp protocol from the guest. While processing a udp packet that is smaller than the size of the bootp_t structure (548 bytes) it uses memory from outside the working mbuf buffer. This may lead to the leakage of 10 bytes of uninitialized heap memory to the guest.

Upstream commits:
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/93e645e7
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/f13cad45
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/2eca0838
Comment 5 Mauro Matteo Cascella 2021-06-15 13:51:20 UTC 
Created libslirp tracking bugs for this issue:

Affects: epel-all [bug 1972246]
Affects: fedora-all [bug 1972249]


Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1972244]
Comment 6 errata-xmlrpc 2021-11-09 17:39:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4191 https://access.redhat.com/errata/RHSA-2021:4191
Comment 7 Product Security DevOps Team 2021-11-09 22:54:29 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3592