Bug 1994640 (CVE-2021-3713)

Summary: CVE-2021-3713 QEMU: out-of-bounds write in UAS (USB Attached SCSI) device emulation
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: berrange, cfergeau, crobinso, dbecker, jen, jferlan, jforbes, jjoyce, jmaloy, jschluet, knoel, lhh, lkundrak, lpeer, m.a.young, mburns, mkenneth, mrezanin, mst, ondrejj, pbonzini, philmd, ribarry, rjones, sclewis, slinaber, virt-maint, virt-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: qemu 6.2.0-rc0 Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds write flaw was found in the UAS (USB Attached SCSI) device emulation of QEMU. The device uses the guest supplied stream number unchecked, which can lead to out-of-bounds access to the UASDevice->data3 and UASDevice->status3 fields. A malicious guest user could use this flaw to crash QEMU or potentially achieve code execution with the privileges of the QEMU process on the host.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-08-17 19:28:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1994641, 1994644    
Bug Blocks: 1989261, 1994689    

Description Mauro Matteo Cascella 2021-08-17 15:35:48 UTC 
An out-of-bounds write issue was found in the UAS (USB Attached SCSI) device emulation of QEMU. It occurs due to missing sanity checks in the usb_uas_handle_data() function in hw/usb/dev-uas.c. In particular, the device uses the guest-supplied stream number unchecked, which can lead to guest-triggered out-of-bounds access to the UASDevice->data3 and UASDevice->status3 fields.

Upstream fix:
https://lists.nongnu.org/archive/html/qemu-devel/2021-08/msg02766.html
Comment 1 Mauro Matteo Cascella 2021-08-17 15:36:17 UTC 
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1994641]
Comment 2 Mauro Matteo Cascella 2021-08-17 15:44:28 UTC 
Created qemu tracking bugs for this issue:

Affects: epel-7 [bug 1994644]
Comment 4 Mauro Matteo Cascella 2021-08-17 16:24:03 UTC 
From Gerd Hoffmann - USB maintainer:

The UAS (usb attached scsi) device emulation is not in widespread use, the classic usb storage device using the BOT (Bulk Only transport) protocol is much more popular and the only device supported by libvirt.

Also note that in RHEL the UAS device is not enabled.
Comment 5 Product Security DevOps Team 2021-08-17 19:28:10 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3713
Comment 6 Mauro Matteo Cascella 2021-08-23 11:07:41 UTC 
Looks like this issue was introduced in QEMU v1.5.0 via commit:
https://gitlab.com/qemu-project/qemu/-/commit/89a453d4a5c195e6d0a3c3d4fcaacb447447115f