Bug 1970491 (CVE-2021-3594)

Summary: CVE-2021-3594 QEMU: slirp: invalid pointer initialization may lead to information disclosure (udp)
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: berrange, cfergeau, dbecker, jen, jferlan, jjoyce, jmaloy, jnovy, jschluet, knoel, lhh, lpeer, marcandre.lureau, mburns, mkenneth, mrezanin, mst, ondrejj, pbonzini, philmd, ribarry, rjones, sclewis, security-response-team, slinaber, virt-maint, virt-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libslirp 4.6.0 Doc Type: If docs needed, set a value
Doc Text:
An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the udp_input() function and could occur while processing a udp packet that is smaller than the size of the 'udphdr' structure. This issue may lead to out-of-bounds read access or indirect host memory disclosure to the guest. The highest threat from this vulnerability is to data confidentiality.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-09 23:22:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1970852, 1970853, 1970854, 1970855, 1970856, 1970857, 1970858, 1970859, 1972248, 1972251, 1972252    
Bug Blocks: 1969478, 1970557    

Description Mauro Matteo Cascella 2021-06-10 14:57:32 UTC 
An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The function udp_input() handles requests for the udp protocol from the guest. While processing a udp packet that is smaller than the size of the udphdr structure it uses memory from outside the working mbuf buffer. This issue may lead to out of bound read access or indirect memory disclosure to the guest.

Upstream commits:
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/93e645e7
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/74572be4
Comment 5 Mauro Matteo Cascella 2021-06-15 13:51:37 UTC 
Created libslirp tracking bugs for this issue:

Affects: epel-all [bug 1972251]
Affects: fedora-all [bug 1972252]


Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1972248]
Comment 6 errata-xmlrpc 2021-11-09 17:40:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4191 https://access.redhat.com/errata/RHSA-2021:4191
Comment 7 Product Security DevOps Team 2021-11-09 23:22:10 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3594