Bug 2020298 (CVE-2021-3929)
| Summary: | CVE-2021-3929 QEMU: nvme: DMA reentrancy issue leads to use-after-free | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Mauro Matteo Cascella <mcascell> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED NOTABUG | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | berrange, cfergeau, crobinso, dbecker, jen, jferlan, jforbes, jjoyce, jmaloy, jschluet, knoel, lhh, lkundrak, lpeer, m.a.young, mburns, mkenneth, mrezanin, mst, ondrejj, pbonzini, philmd, ribarry, rjones, sclewis, security-response-team, slinaber, virt-maint, virt-maint |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | qemu-kvm 7.0.0-rc0 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A DMA reentrancy issue was found in the NVM Express Controller (NVME) emulation in QEMU. This CVE is similar to CVE-2021-3750 and, just like it, when the reentrancy write triggers the reset function nvme_ctrl_reset(), data structs will be freed leading to a use-after-free issue. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition or, potentially, executing arbitrary code within the context of the QEMU process on the host.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-12-16 18:55:57 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2066083 | ||
| Bug Blocks: | 1997699, 2020565 | ||
|
Description
Mauro Matteo Cascella
2021-11-04 14:38:06 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3929 In reply to comment #0: > A malicious guest could use this issue to crash QEMU, resulting in a denial > of service condition, or potentially execute arbitrary code within the > context of the QEMU process on the host. While QEMU is an essential component in virtualization environments, it is not intended to be used directly on RHEL due to security concerns. In other words, using `qemu-kvm` commands is not currently supported by Red Hat (https://access.redhat.com/solutions/408653). It is highly recommended to interact with QEMU using libvirt, which provides several isolation mechanisms to realize guest isolation and the principle of least privilege. For example, the fundamental isolation mechanism is that QEMU processes on the host are run as unprivileged users. Also, the libvirtd daemon sets up additional sandbox around QEMU by leveraging SELinux and sVirt protection for QEMU guests, which further limits the potential damage in case of guest-to-host escape scenario. The impact of this flaw is limited (Moderate) under such circumstances. For a *very good* description of this class of bugs, see this post by Peter Maydell: https://lists.nongnu.org/archive/html/qemu-devel/2021-08/msg03927.html. Reproducer from upstream issue #782: https://gitlab.com/qemu-project/qemu/-/issues/782#reproducer. Upstream commit: https://gitlab.com/qemu-project/qemu/-/commit/736b01642d85be832385 Created qemu tracking bugs for this issue: Affects: fedora-all [bug 2066083] |