Bug 736038 (CVE-2011-3346)

Summary: CVE-2011-3346 qemu: local DoS with SCSI CD-ROM
Product: [Other] Security Response Reporter: Paolo Bonzini <pbonzini>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: mrezanin, pbonzini, pmatouse, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-05-10 13:11:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 736289, 736291, 736292, 736293    
Bug Blocks: 736261, 745055    

Description Paolo Bonzini 2011-09-06 13:35:19 UTC 
Paolo Bonzini found a buffer overflow in QEMU's SCSI subsystem.  hw/scsi-disk.c
tries to zero a user-provided number of bytes in a fixed-size buffer. An unprivileged local guest user can potentially use this flaw to crash the
guest.
Comment 1 Petr Matousek 2011-09-07 09:01:56 UTC 
Original 1st comment from Paolo
-------------------------------

Description of problem:
A buffer overflow is present in QEMU's SCSI subsystem.  hw/scsi-disk.c
tries to zero a user-provided number of bytes in a fixed-size buffer.

#define SCSI_DMA_BUF_SIZE    65536
...
typedef struct SCSIRequest {
    SCSIDevice *dev;
    uint32_t tag;
    /* ??? We should probably keep track of whether the data trasfer is
       a read or a write.  Currently we rely on the host getting it right.  */
    /* Both sector and sector_count are in terms of qemu 512 byte blocks.  */
    int64_t sector;
    int sector_count;
    /* The amount of data in the buffer.  */
    int buf_len;
    uint8_t dma_buf[SCSI_DMA_BUF_SIZE];
    BlockDriverAIOCB *aiocb;
    struct SCSIRequest *next;
} SCSIRequest;
...
int32_t scsi_send_command(SCSIDevice *s, uint32_t tag, uint8_t *buf, int lun)
{
...
    command = buf[0];
    r = scsi_new_request(s, tag);
    outbuf = r->dma_buf;
    switch (command >> 5) {
...
    case 4:
...
        len = buf[13] | (buf[12] << 8) | (buf[11] << 16) | (buf[10] << 24);
        cmdlen = 16;
...
    }
...
    case 0x9e:
        /* Service Action In subcommands. */
        if ((buf[1] & 31) == 0x10) {
            DPRINTF("SAI READ CAPACITY(16)\n");
            memset(outbuf, 0, len);

Version-Release number of selected component (if applicable):
xen-3.0.3-132.el5
qemu-kvm-0.12.1.2-2.171.el6

How reproducible:
100%

Steps to Reproduce:
1. Under RHEL5 Xen, create a RHEL6 guest that has a SCSI CD-ROM.
2. Install sg3_utils in the guest.
3. Log into the guest from the VNC console as an unprivileged user.
4. Check with getfacl (e.g. "getfacl /dev/sr0" for RHEL5 Xen) that the
user got read-write access to the device.
4. Send the following CDB to the device using sg_raw (READ CAPACITY 16,
allocation length = 0x040000):

     9E 10 00 00 00 00 00 00 00 00 00 04 00 00 00 00

Actual results:
qemu crashes

Expected results:
Either the CDB is rejected with an ILLEGAL REQUEST sense code, or it
works successfully

Additional info:
The reproduction steps require ConsoleKit for the user to gain access to
the CD-ROM devices. For this reason, they do not work when logging in
via ssh. Similarly, RHEL5 and earlier guests are not as vulnerable
because they do not use ConsoleKit: only privileged users can send CDBs
to SCSI devices under RHEL5 and earlier.

The bug is minor because the user cannot control the data that is
written to the buffer. Petr Matousek gave it AV:L/AC:H/Au:N/C:N/I:N/A:C
in private IRC discussion.

RHEL5 KVM does not support SCSI devices at all. RHEL6 KVM supports USB
disks (which are SCSI), but not USB CD-ROMs. Hence, unless root manually
changes permissions or ACLs, the bug cannot be exploited by an
unprivileged user.  We may still want to patch it.

Beware of bug 735993.  Until it is fixed, in order to create sda as a
SCSI CD-ROM you should instead add a dummy *sde* disk like

  disk = [ "file:...:hda,w", "file:...:sda,r", "file:...:sde:cdrom,r" ]
Comment 5 Petr Matousek 2011-09-07 09:56:16 UTC 
Statement:

This issue only affects qemu as shipped with Red Hat Enterprise Linux 5 xen packages. The versions of the qemu/kvm as shipped with Red Hat Enterprise Linux 5 are not affected.
Comment 6 Petr Matousek 2011-09-21 15:14:15 UTC 
Paolo, could you please post link to the upstream patch?
Comment 7 Paolo Bonzini 2011-09-21 16:05:08 UTC 
Yes, it just got committed.  A simpler patch is possible, but I prefer to wait:

https://github.com/bonzini/qemu/commit/103b40f51e4012b3b0ad20f615562a1806d7f49a
https://github.com/bonzini/qemu/commit/7285477ab11831b1cf56e45878a89170dd06d9b9
Comment 8 Paolo Bonzini 2011-09-23 13:20:09 UTC 
5.8 patch posted.
Comment 9 errata-xmlrpc 2011-10-24 17:13:57 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:1401 https://rhn.redhat.com/errata/RHSA-2011-1401.html