Bug 2025882 (CVE-2021-3839)

Summary: CVE-2021-3839 DPDK: out-of-bounds read/write in vhost_user_set_inflight_fd() may lead to crash
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aconole, amctagga, anharris, aoconnor, bniver, ctrautma, echaudro, fleitner, flucifre, gmeno, hvyas, jhsiao, linville, maxime.coquelin, mbenjamin, mcascell, mhackett, michal.skrivanek, mperina, nhorman, ovs-qe, ovs-team, ralongi, rkhan, sbonazzo, security-response-team, sfowler, sostapov, tredaelli, vereddy
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: dpdk 22.03 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the vhost library in DPDK. Function vhost_user_set_inflight_fd() does not validate `msg->payload.inflight.num_queues`, possibly causing out-of-bounds memory read/write. Any software using DPDK vhost library may crash as a result of this vulnerability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-27 22:07:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2026133, 2026134, 2026135, 2026136, 2026137, 2026138, 2026139, 2026140, 2026583, 2026641, 2026642, 2081486    
Bug Blocks: 2024112    

Description Dhananjay Arunesh 2021-11-23 09:55:36 UTC 
In function vhost_user_set_inflight_fd() which is in DPDK Vhost library,  msg->payload.inflight.num_queues doesn't get checked to determine if it's out of bounds. So it could cause the program to write/read out of boundary. And in the end the software using DPDK Vhost library may crash.
Comment 4 Mauro Matteo Cascella 2022-05-03 21:20:52 UTC 
Upstream commit:
https://github.com/DPDK/dpdk/commit/6442c329b9d2ded0f44b27d2016aaba8ba5844c5
Comment 5 Mauro Matteo Cascella 2022-05-03 21:22:37 UTC 
Created dpdk tracking bugs for this issue:

Affects: fedora-all [bug 2081486]
Comment 12 errata-xmlrpc 2022-05-27 18:14:27 UTC 
This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 8

Via RHSA-2022:4786 https://access.redhat.com/errata/RHSA-2022:4786
Comment 13 errata-xmlrpc 2022-05-27 18:14:46 UTC 
This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 8

Via RHSA-2022:4787 https://access.redhat.com/errata/RHSA-2022:4787
Comment 14 errata-xmlrpc 2022-05-27 18:15:00 UTC 
This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 8

Via RHSA-2022:4788 https://access.redhat.com/errata/RHSA-2022:4788
Comment 15 Product Security DevOps Team 2022-05-27 22:07:01 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3839
Comment 16 errata-xmlrpc 2022-11-15 10:46:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:8263 https://access.redhat.com/errata/RHSA-2022:8263