Bug 1989651 (CVE-2021-3682)

Summary: CVE-2021-3682 QEMU: usbredir: free() call on invalid pointer in bufp_alloc()
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: berrange, cfergeau, crobinso, dbecker, jen, jferlan, jforbes, jjoyce, jmaloy, jschluet, kkiwi, knoel, lhh, lkundrak, lpeer, m.a.young, mburns, mkenneth, mrezanin, mst, ondrejj, pbonzini, philmd, ribarry, rjones, sclewis, slinaber, virt-maint, virt-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: qemu 6.1.0-rc2 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the USB redirector device emulation of QEMU. It occurs when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata, resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the host.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-09-30 18:21:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1989934, 1989924, 1989925, 1989926, 1989927, 1989928, 1989933, 1996133    
Bug Blocks: 1986089, 1990106    

Description Mauro Matteo Cascella 2021-08-03 16:37:52 UTC
A flaw was found in the USB redirector device (usb-redir) of QEMU. It occurs when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. More specifically, the usbredir_buffered_bulk_packet() function calls bufp_alloc() with an invalid pointer that points into the middle of a buffer controlled by the SPICE client. If the packet queue is full, bufp_alloc() ends up freeing the same pointer passed as argument. A malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata, resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the host.

Upstream issue:
https://gitlab.com/qemu-project/qemu/-/issues/491

Upstream fix:
https://gitlab.com/qemu-project/qemu/-/commit/5e796671e6b8d5de4b0b423dce1b3eba144a92c9

Comment 2 Mauro Matteo Cascella 2021-08-03 18:07:56 UTC
Different types of USB transfers (Interrupt, Isochronous and Bulk transfers) lead to bufp_alloc(). Gerd Hoffmann pointed out that the "drop packets" logic in bufp_alloc() is meant for Isochronous endpoints. As described in the previous comment, the invalid pointer comes from the Bulk endpoint code path, and Bulk transfers should in theory never drop packets. However, there is a (rather high) limit of 5000 packets set for Bulk endpoints, so in practice it might be possible to end up in the "drop packets" code path even with bulk endpoints when spice-client tries to send a huge jumbo-packet.

Comment 3 Mauro Matteo Cascella 2021-08-04 10:43:29 UTC
Seems like this issue dates back to qemu-1.4.0 when support for buffered bulk input was first introduced:
https://gitlab.com/qemu-project/qemu/-/commit/b2d1fe67d09d2b6c7da647fbcea6ca0148c206d3

Comment 5 Mauro Matteo Cascella 2021-08-04 11:05:48 UTC
Created qemu tracking bugs for this issue:

Affects: epel-7 [bug 1989934]
Affects: fedora-all [bug 1989933]

Comment 7 Mauro Matteo Cascella 2021-08-05 08:25:42 UTC
Note that the SPICE client needs to get past authentication to try exploiting this flaw.

Comment 8 Mauro Matteo Cascella 2021-08-17 10:09:11 UTC
While QEMU is an essential component in virtualization environments, it is not intended to be used directly on RHEL 8 systems, due to security concerns. In other words, using qemu-kvm commands is not currently supported by Red Hat. It is highly recommended to interact with QEMU using libvirt, which provides several isolation mechanisms to realize guest isolation and the principle of least privilege. For example, the fundamental isolation mechanism is that QEMU processes on the host are run as unprivileged users. Also, the libvirtd daemon sets up additional sandbox around QEMU by leveraging SELinux and sVirt protection for QEMU guests, which further limit the potential damage in case of guest-to-host escape scenario.

Comment 9 Mauro Matteo Cascella 2021-08-17 10:14:02 UTC
In reply to comment #8:
> While QEMU is an essential component in virtualization environments, it is
> not intended to be used directly on RHEL 8 systems, due to security
> concerns. In other words, using qemu-kvm commands is not currently supported
> by Red Hat. It is highly recommended to interact with QEMU using libvirt,
> which provides several isolation mechanisms to realize guest isolation and
> the principle of least privilege. For example, the fundamental isolation
> mechanism is that QEMU processes on the host are run as unprivileged users.
> Also, the libvirtd daemon sets up additional sandbox around QEMU by
> leveraging SELinux and sVirt protection for QEMU guests, which further limit
> the potential damage in case of guest-to-host escape scenario.

The impact of this flaw is limited (Moderate) under such circumstances.

Comment 10 Klaus Heinrich Kiwi 2021-08-17 11:58:48 UTC
(In reply to Mauro Matteo Cascella from comment #8)

> concerns. In other words, using qemu-kvm commands is not currently supported
> by Red Hat. It is highly recommended to interact with QEMU using libvirt,

I understand the highly-recommended part, but not sure if I agree with the currently not supported part. Where is that documented?

Comment 11 Richard W.M. Jones 2021-08-17 12:34:38 UTC
https://access.redhat.com/solutions/408653

Comment 13 errata-xmlrpc 2021-09-30 16:54:08 UTC
This issue has been addressed in the following products:

  Advanced Virtualization for RHEL 8.4.0.Z

Via RHSA-2021:3703 https://access.redhat.com/errata/RHSA-2021:3703

Comment 14 Product Security DevOps Team 2021-09-30 18:21:15 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3682

Comment 15 errata-xmlrpc 2021-09-30 19:01:50 UTC
This issue has been addressed in the following products:

  Advanced Virtualization for RHEL 8.2.1

Via RHSA-2021:3704 https://access.redhat.com/errata/RHSA-2021:3704