Bug 1979858 (CVE-2021-3638)

Summary: CVE-2021-3638 QEMU: ati-vga: inconsistent check in ati_2d_blt() may lead to out-of-bounds write
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: berrange, carnil, cfergeau, crobinso, dbecker, jen, jferlan, jforbes, jjoyce, jmaloy, jschluet, knoel, lhh, lkundrak, lpeer, m.a.young, mburns, mkenneth, mrezanin, mst, ondrejj, pbonzini, philmd, ribarry, rjones, sclewis, slinaber, virt-maint, virt-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds memory access flaw was found in the ATI VGA device emulation of QEMU. This flaw occurs in the ati_2d_blt() routine while handling MMIO write operations when the guest provides invalid values for the destination display parameters. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-07-07 10:40:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1979882    
Bug Blocks: 1978398, 2003528    

Description Mauro Matteo Cascella 2021-07-07 09:20:21 UTC 
A flaw was found in the ATI VGA emulation of QEMU. An inconsistent check and use of dst_[x|y] and s->regs.dst_[x|y] may lead to out-of-bounds write of vram_ptr. This flaw occurs in the ati_2d_blt() routine while handling MMIO write operations from the guest. A malicious guest user could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.

Note: this is similar to CVE-2020-11869, CVE-2020-24352 and CVE-2020-27616.
Comment 2 Mauro Matteo Cascella 2021-07-07 10:22:29 UTC 
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1979882]
Comment 4 Salvatore Bonaccorso 2021-09-03 13:11:54 UTC 
Has this issue been forwarded/notified to upstream?
Comment 5 Mauro Matteo Cascella 2021-09-03 17:14:37 UTC 
In reply to comment #4:
> Has this issue been forwarded/notified to upstream?

Yes, this was reported upstream via qemu-security mailing list. The impact of this CVE is very minimal as the ati-vga device is still experimental and not really meant to be used in production environments. This may be the reason why it's not been addressed so far. I'll reach out to QEMU maintainer(s) to ask if they have any feedback about this.

Thanks.
Comment 6 Philippe Mathieu-Daudé 2021-09-03 17:26:59 UTC 
Could CVE-2021-3638 be fixed by this commit?

commit ca1f9cbfdce4d63b10d57de80fef89a89d92a540
Author: Prasad J Pandit <pjp>
Date:   Wed Oct 21 16:08:18 2020 +0530

    ati: check x y display parameter values
    
    The source and destination x,y display parameters in ati_2d_blt()
    may run off the vga limits if either of s->regs.[src|dst]_[xy] is
    zero. Check the parameter values to avoid potential crash.
    
    Reported-by: Gaoning Pan <pgn.cn>
    Signed-off-by: Prasad J Pandit <pjp>
    Message-id: 20201021103818.1704030-1-ppandit
    Signed-off-by: Gerd Hoffmann <kraxel>
Comment 7 Mauro Matteo Cascella 2021-09-06 12:54:51 UTC 
I don't think so, because that was the patch for CVE-2020-27616: https://bugzilla.redhat.com/show_bug.cgi?id=1894036#c0.
And it 's still possible to reproduce this issue with that patch applied.
Comment 8 Mauro Matteo Cascella 2021-09-09 09:28:22 UTC 
Upstream patch:
https://lists.nongnu.org/archive/html/qemu-devel/2021-09/msg01682.html
Comment 9 Mauro Matteo Cascella 2022-12-06 15:20:54 UTC 
Upstream commit:
https://gitlab.com/qemu-project/qemu/-/commit/205ccfd7a5ec86bd9a5678b8bd157562fc9a1643