Bug 1989651 (CVE-2021-3682)
Summary: | CVE-2021-3682 QEMU: usbredir: free() call on invalid pointer in bufp_alloc() | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Mauro Matteo Cascella <mcascell> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | berrange, cfergeau, crobinso, dbecker, jen, jferlan, jforbes, jjoyce, jmaloy, jschluet, kkiwi, knoel, lhh, lkundrak, lpeer, m.a.young, mburns, mkenneth, mrezanin, mst, ondrejj, pbonzini, philmd, ribarry, rjones, sclewis, slinaber, virt-maint, virt-maint |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | qemu 6.1.0-rc2 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in the USB redirector device emulation of QEMU. It occurs when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata, resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the host.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-09-30 18:21:15 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1989924, 1989925, 1989926, 1989927, 1989928, 1989933, 1989934, 1996133 | ||
Bug Blocks: | 1986089, 1990106 |
Description
Mauro Matteo Cascella
2021-08-03 16:37:52 UTC
Different types of USB transfers (Interrupt, Isochronous and Bulk transfers) lead to bufp_alloc(). Gerd Hoffmann pointed out that the "drop packets" logic in bufp_alloc() is meant for Isochronous endpoints. As described in the previous comment, the invalid pointer comes from the Bulk endpoint code path, and Bulk transfers should in theory never drop packets. However, there is a (rather high) limit of 5000 packets set for Bulk endpoints, so in practice it might be possible to end up in the "drop packets" code path even with bulk endpoints when spice-client tries to send a huge jumbo-packet. Seems like this issue dates back to qemu-1.4.0 when support for buffered bulk input was first introduced: https://gitlab.com/qemu-project/qemu/-/commit/b2d1fe67d09d2b6c7da647fbcea6ca0148c206d3 Created qemu tracking bugs for this issue: Affects: epel-7 [bug 1989934] Affects: fedora-all [bug 1989933] Note that the SPICE client needs to get past authentication to try exploiting this flaw. While QEMU is an essential component in virtualization environments, it is not intended to be used directly on RHEL 8 systems, due to security concerns. In other words, using qemu-kvm commands is not currently supported by Red Hat. It is highly recommended to interact with QEMU using libvirt, which provides several isolation mechanisms to realize guest isolation and the principle of least privilege. For example, the fundamental isolation mechanism is that QEMU processes on the host are run as unprivileged users. Also, the libvirtd daemon sets up additional sandbox around QEMU by leveraging SELinux and sVirt protection for QEMU guests, which further limit the potential damage in case of guest-to-host escape scenario. In reply to comment #8: > While QEMU is an essential component in virtualization environments, it is > not intended to be used directly on RHEL 8 systems, due to security > concerns. In other words, using qemu-kvm commands is not currently supported > by Red Hat. It is highly recommended to interact with QEMU using libvirt, > which provides several isolation mechanisms to realize guest isolation and > the principle of least privilege. For example, the fundamental isolation > mechanism is that QEMU processes on the host are run as unprivileged users. > Also, the libvirtd daemon sets up additional sandbox around QEMU by > leveraging SELinux and sVirt protection for QEMU guests, which further limit > the potential damage in case of guest-to-host escape scenario. The impact of this flaw is limited (Moderate) under such circumstances. (In reply to Mauro Matteo Cascella from comment #8) > concerns. In other words, using qemu-kvm commands is not currently supported > by Red Hat. It is highly recommended to interact with QEMU using libvirt, I understand the highly-recommended part, but not sure if I agree with the currently not supported part. Where is that documented? This issue has been addressed in the following products: Advanced Virtualization for RHEL 8.4.0.Z Via RHSA-2021:3703 https://access.redhat.com/errata/RHSA-2021:3703 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3682 This issue has been addressed in the following products: Advanced Virtualization for RHEL 8.2.1 Via RHSA-2021:3704 https://access.redhat.com/errata/RHSA-2021:3704 |