Bug 1970487 (CVE-2021-3593)

Summary: CVE-2021-3593 QEMU: slirp: invalid pointer initialization may lead to information disclosure (udp6)
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: berrange, cfergeau, dbecker, jen, jferlan, jjoyce, jmaloy, jnovy, jschluet, knoel, lhh, lpeer, marcandre.lureau, mburns, mkenneth, mrezanin, mst, ondrejj, pbonzini, philmd, ribarry, rjones, sclewis, security-response-team, slinaber, virt-maint, virt-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libslirp 4.6.0 Doc Type: If docs needed, set a value
Doc Text:
An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the udp6_input() function and could occur while processing a udp packet that is smaller than the size of the 'udphdr' structure. This issue may lead to out-of-bounds read access or indirect host memory disclosure to the guest. The highest threat from this vulnerability is to data confidentiality.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-09 22:55:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1970834, 1970835, 1970836, 1970837, 1970838, 1970839, 1970840, 1970842, 1972245, 1972247, 1972250    
Bug Blocks: 1969478, 1970557    

Description Mauro Matteo Cascella 2021-06-10 14:51:49 UTC 
An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The function udp6_input() handles requests for the udp protocol from the guest. While processing a udp packet that is smaller than the size of the udphdr structure it uses memory from outside the working mbuf buffer. This issue may lead to out of bound read access or indirect memory disclosure to the guest.

Upstream commits:
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/93e645e7
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/de71c15d
Comment 5 Mauro Matteo Cascella 2021-06-15 13:51:20 UTC 
Created libslirp tracking bugs for this issue:

Affects: epel-all [bug 1972247]
Affects: fedora-all [bug 1972250]


Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1972245]
Comment 6 errata-xmlrpc 2021-11-09 17:39:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4191 https://access.redhat.com/errata/RHSA-2021:4191
Comment 7 Product Security DevOps Team 2021-11-09 22:54:59 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3593