Bug 1970489 (CVE-2021-3595)

Summary: CVE-2021-3595 QEMU: slirp: invalid pointer initialization may lead to information disclosure (tftp)
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: berrange, cfergeau, dbecker, jen, jferlan, jjoyce, jmaloy, jnovy, jschluet, knoel, lhh, lpeer, marcandre.lureau, mburns, mkenneth, mrezanin, mst, ondrejj, pbonzini, philmd, ribarry, rjones, sclewis, security-response-team, slinaber, virt-maint, virt-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libslirp 4.6.0 Doc Type: If docs needed, set a value
Doc Text:
An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the tftp_input() function and could occur while processing a udp packet that is smaller than the size of the 'tftp_t' structure. This issue may lead to out-of-bounds read access or indirect host memory disclosure to the guest. The highest threat from this vulnerability is to data confidentiality.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-09 23:21:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1970841, 1970843, 1970844, 1970845, 1970846, 1970847, 1970849, 1970850, 1972241, 1972242, 1972243    
Bug Blocks: 1969478, 1970557    

Description Mauro Matteo Cascella 2021-06-10 14:54:24 UTC 
An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The function tftp_input() handles requests for the tftp protocol from the guest. While processing a udp packet that is smaller than the size of the tftp_t structure it uses memory from outside the working mbuf buffer. This issue may lead to out of bound read access or indirect memory disclosure to the guest.

Upstream commits:
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/93e645e7
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/3f179481
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/990163cf
Comment 5 Mauro Matteo Cascella 2021-06-15 13:50:39 UTC 
Created libslirp tracking bugs for this issue:

Affects: epel-all [bug 1972242]
Affects: fedora-all [bug 1972243]


Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1972241]
Comment 6 errata-xmlrpc 2021-11-09 17:40:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4191 https://access.redhat.com/errata/RHSA-2021:4191
Comment 7 Product Security DevOps Team 2021-11-09 23:21:34 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3595