Bug 1973784 (CVE-2021-3611)

Summary: CVE-2021-3611 QEMU: intel-hda: segmentation fault due to stack overflow
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: berrange, cfergeau, dbecker, jen, jferlan, jforbes, jjoyce, jmaloy, jschluet, knoel, lhh, lpeer, m.a.young, mburns, mkenneth, mrezanin, mst, ondrejj, pbonzini, rjones, sclewis, slinaber, virt-maint, virt-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A stack overflow vulnerability was found in the Intel HD Audio device (intel-hda) of QEMU. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-12-04 22:41:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1974845, 1974846, 1974847, 1975833    
Bug Blocks: 1971023, 1973792    

Description Mauro Matteo Cascella 2021-06-18 17:11:44 UTC 
A KVM guest can crash qemu-kvm (likely with a stack overflow) when the guest has been started with the intel-hda device. According to the upstream ticket, the crash is due to a stack overflow.

References:
https://bugs.launchpad.net/qemu/+bug/1907497
https://gitlab.com/qemu-project/qemu/-/issues/542
Comment 3 Mauro Matteo Cascella 2021-06-22 17:56:03 UTC 
This issue was apparently introduced in QEMU upstream version 5.0.0 with commit a9d8ba2b:

$ git tag --contains a9d8ba2be58e067bdfbff830eb9ff438d8db7f10 | head -1
v5.0.0
Comment 4 Mauro Matteo Cascella 2021-06-24 14:18:13 UTC 
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1975833]
Comment 6 Mauro Matteo Cascella 2021-06-30 20:36:19 UTC 
This bug turned out to be a manifestation of a well-known problem ("DMA reentrancy") whose resolution has yet to be found. QEMU upstream is aware of this issue. For additional details, see:

* https://patchew.org/QEMU/20200903110831.353476-1-philmd@redhat.com
* https://mail.gnu.org/archive/html/qemu-devel/2020-09/msg00906.html
Comment 10 Mauro Matteo Cascella 2022-09-19 21:55:13 UTC 
Upstream fix:
https://gitlab.com/qemu-project/qemu/-/commit/79fa99831debc9782087e834382c577215f2f511
Comment 11 errata-xmlrpc 2022-11-15 09:49:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:7967 https://access.redhat.com/errata/RHSA-2022:7967
Comment 12 Product Security DevOps Team 2022-12-04 22:41:05 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3611