Bug 2274211 (CVE-2024-3446)

Summary: CVE-2024-3446 QEMU: virtio: DMA reentrancy issue leads to double free vulnerability
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ailan, ddepaula, jen, jferlan, jmaloy, kkiwi, knoel, mrezanin, mst, nilal, pbonzini, ymankad
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A double free vulnerability was found in QEMU virtio devices (virtio-gpu, virtio-serial-bus, virtio-crypto), where the mem_reentrancy_guard flag insufficiently protects against DMA reentrancy issues. This issue could allow a malicious privileged guest user to crash the QEMU process on the host, resulting in a denial of service or allow arbitrary code execution within the context of the QEMU process on the host.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2274212    
Bug Blocks: 1997699    

Description Mauro Matteo Cascella 2024-04-09 18:30:12 UTC 
It was found that the mem_reentrancy_guard flag did not sufficiently protect against DMA reentrancy issues in QEMU virtio devices (virtio-gpu, virtio-serial-bus, virtio-crypto), leading to a double free vulnerability. A malicious privileged guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition, or potentially execute arbitrary code within the context of the QEMU process on the host.

Upstream patch:
https://patchew.org/QEMU/20240409105537.18308-1-philmd@linaro.org/
Comment 1 Mauro Matteo Cascella 2024-04-09 18:30:39 UTC 
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 2274212]
Comment 3 Mauro Matteo Cascella 2024-04-09 18:35:24 UTC 
While QEMU is an essential component in virtualization environments, it is not intended to be used directly on RHEL systems due to security concerns. In other words, using qemu-kvm commands is not currently supported by Red Hat (https://access.redhat.com/solutions/408653). It is highly recommended to interact with QEMU by using libvirt, which provides several isolation mechanisms to realize guest isolation and the principle of least privilege. The fundamental isolation mechanism is that QEMU processes on the host are run as unprivileged users. Also, the libvirtd daemon sets up additional sandbox around QEMU by leveraging SELinux and sVirt protection for QEMU guests, which further limits the potential damage in case of guest-to-host escape scenario. The impact of this flaw is therefore limited (Moderate) under such circumstances.