Bug 1998514 (CVE-2021-3748)

Summary: CVE-2021-3748 QEMU: virtio-net: heap use-after-free in virtio_net_receive_rcu
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: berrange, carnil, cfergeau, crobinso, dbecker, jen, jferlan, jforbes, jjoyce, jmaloy, jschluet, knoel, lhh, lkundrak, lpeer, m.a.young, mburns, mkenneth, mrezanin, mst, ondrejj, pbonzini, philmd, ribarry, rjones, sclewis, slinaber, tuxmealux+redhatbz, virt-maint, virt-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: qemu-kvm 6.2.0 Doc Type: If docs needed, set a value
Doc Text:
A use-after-free vulnerability was found in the virtio-net device of QEMU. It could occur when the descriptor's address belongs to the non direct access region, due to num_buffers being set after the virtqueue elem has been unmapped. A malicious guest could use this flaw to crash QEMU, resulting in a denial of service condition, or potentially execute code on the host with the privileges of the QEMU process.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-03 14:07:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1999211, 1999212, 1999213, 1999221, 1999222, 1999223, 1999224, 2014569    
Bug Blocks: 1997966, 2003975    

Description Mauro Matteo Cascella 2021-08-27 12:54:17 UTC
OSS-Fuzz found a use-after-free vulnerability in virtio-net. It occurs in the virtio_net_receive_rcu function (hw/net/virtio-net.c) under these conditions:

1) the (malicious) driver tries to add a non direct memory region as the buffer address
2) then memory core needs to use the bounce buffer
3) virtio-net tries to set the num_buffers *after* the iov is unmapped (bounce buffer is freed)

A malicious guest could use this flaw to crash QEMU, resulting in a denial of service condition, or potentially execute code on the host with the privileges of the QEMU process.

Upstream patch & commit:
https://lists.nongnu.org/archive/html/qemu-devel/2021-09/msg00388.html
https://gitlab.com/qemu-project/qemu/-/commit/bedd7e93d01961fcb16a97ae45d93acf357e11f6

Comment 4 Gianluca Gabrielli 2021-08-30 14:08:33 UTC
Hi Mauro,

Could you please confirm if the described use-after-free is related to this [0] upstream bug?

Cheers,
Gianluca

[0] https://gitlab.com/qemu-project/qemu/-/issues/535

Comment 5 Mauro Matteo Cascella 2021-08-30 16:09:39 UTC
Hi Gianluca,

(In reply to Gianluca Gabrielli from comment #4)
> Hi Mauro,
> 
> Could you please confirm if the described use-after-free is related to this
> [0] upstream bug?
> 
> Cheers,
> Gianluca
> 
> [0] https://gitlab.com/qemu-project/qemu/-/issues/535

At first glance it doesn't seem to be related: this is a virtio-net specific issue while the assertion failure in #535 is triggered via e1000e. iov_from_buf_full is involved in both cases, but I think they are different issues.

Note: bug summary and comment#0 were edited to make it clear that this originates from virtio_net_receive_rcu (virtio-net).

Comment 6 Mauro Matteo Cascella 2021-08-30 17:38:24 UTC
Created qemu tracking bugs for this issue:

Affects: epel-7 [bug 1999212]
Affects: fedora-all [bug 1999211]


Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1999213]

Comment 8 Salvatore Bonaccorso 2021-09-03 13:14:18 UTC
(In reply to Mauro Matteo Cascella from comment #5)
> Hi Gianluca,
> 
> (In reply to Gianluca Gabrielli from comment #4)
> > Hi Mauro,
> > 
> > Could you please confirm if the described use-after-free is related to this
> > [0] upstream bug?
> > 
> > Cheers,
> > Gianluca
> > 
> > [0] https://gitlab.com/qemu-project/qemu/-/issues/535
> 
> At first glance it doesn't seem to be related: this is a virtio-net specific
> issue while the assertion failure in #535 is triggered via e1000e.
> iov_from_buf_full is involved in both cases, but I think they are different
> issues.
> 
> Note: bug summary and comment#0 were edited to make it clear that this
> originates from virtio_net_receive_rcu (virtio-net).

Following up on that, as this is not the same as #535, do you know if this was
reported upstream to qemu?

Regards,
Salvatore

Comment 9 Mauro Matteo Cascella 2021-09-03 15:00:26 UTC
Hi Salvatore,

In reply to comment #8:
> Following up on that, as this is not the same as #535, do you know if this
> was reported upstream to qemu?

This was reported via qemu-security mailing list (https://www.qemu.org/contribute/security-process). As far as I can see, no upstream issue was created for this. The CVE is mentioned in the upstream patch by Jason Wang, though (see comment#0).

Comment 11 Mauro Matteo Cascella 2021-09-09 18:06:15 UTC
In reply to comment #0:
> A malicious guest could use this flaw to crash QEMU, resulting in a denial
> of service condition, or potentially execute code on the host with the
> privileges of the QEMU process.

While QEMU is an essential component in virtualization environments, it is not intended to be used directly on RHEL 8 systems due to security concerns. In other words, using qemu-kvm commands is not currently supported by Red Hat (https://access.redhat.com/solutions/408653). It is highly recommended to interact with QEMU by using libvirt, which provides several isolation mechanisms to realize guest isolation and the principle of least privilege. For example, the fundamental isolation mechanism is that QEMU processes on the host are run as unprivileged users. Also, the libvirtd daemon sets up additional sandbox around QEMU by leveraging SELinux and sVirt protection for QEMU guests, which further limits the potential damage in case of guest-to-host escape scenario. The impact of this flaw is limited (Moderate) under such circumstances.

Comment 14 errata-xmlrpc 2021-11-03 08:47:14 UTC
This issue has been addressed in the following products:

  Advanced Virtualization for RHEL 8.4.0.Z

Via RHSA-2021:4112 https://access.redhat.com/errata/RHSA-2021:4112

Comment 15 Product Security DevOps Team 2021-11-03 14:07:47 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3748

Comment 16 errata-xmlrpc 2021-12-08 18:51:39 UTC
This issue has been addressed in the following products:

  Advanced Virtualization for RHEL 8.2.1

Via RHSA-2021:5036 https://access.redhat.com/errata/RHSA-2021:5036

Comment 17 errata-xmlrpc 2022-05-10 13:16:45 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1759 https://access.redhat.com/errata/RHSA-2022:1759

Comment 18 Mauro Matteo Cascella 2022-12-23 08:55:41 UTC
Upstream commit:
https://gitlab.com/qemu-project/qemu/-/commit/bedd7e93d01961fcb16a97ae45d93acf357e11f6