A heap buffer overflow was found in the floppy disk emulator of QEMU up to 6.0.0 (including). It could occur in fdctrl_transfer_handler() in hw/block/fdc.c while processing DMA read data transfers from the floppy drive to the guest system. A privileged guest user could use this flaw to crash the QEMU process on the host resulting in DoS scenario, or potential information leakage from the host memory.
Created qemu tracking bugs for this issue: Affects: fedora-all [bug 1951175]
The data length is not properly computed/sanitized while processing DMA read data transfers from the floppy drive (specifically, while handling a VERIFY command). This leads a negative value to be used as the data length in fdctrl_transfer_handler(), and eventually used in a memcpy in flatview_write_continue().
Stacktrace: ==22918==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61900003c800 at pc 0x555558170177 bp 0x7fffffffbc10 sp 0x7fffffffb3d8 READ of size 786432 at 0x61900003c800 thread T0 #0 0x555558170176 in __asan_memcpy (system-i386+0x2c1c176) #1 0x55555964a3ed in flatview_write_continue softmmu/physmem.c:2781:13 #2 0x55555963fde8 in flatview_write softmmu/physmem.c:2816:14 #3 0x55555963fde8 in address_space_write softmmu/physmem.c:2908:18 #4 0x555558dcb0e0 in cpu_physical_memory_write master/include/exec/cpu-common.h:80:5 #5 0x555558dcb0e0 in i8257_dma_write_memory hw/dma/i8257.c:452:9 #6 0x555558fdb4d9 in fdctrl_transfer_handler hw/block/fdc.c:1809:13 #7 0x555558fc7377 in fdctrl_write_data hw/block/fdc.c:2459:13 #8 0x555558fc7377 in fdctrl_write hw/block/fdc.c:967:9 [...] Debug output: FLOPPY: init controller FLOPPY: revalidate FLOPPY: No drive connected FLOPPY: revalidate FLOPPY: No drive connected FLOPPY: revalidate FLOPPY: Floppy disk (2 h 80 t 18 s) rw FLOPPY: reset controller FLOPPY: recalibrate FLOPPY: recalibrate FLOPPY: try to read 0 00 01 (max=1 0 00 00) [R +0.025666] outl 0x9 0x0a0206 FLOPPY: Not in DMA transfer mode ! [...] [R +0.025798] outw 0x3f4 0x0 fdc_ioport_write write reg 0x04 val 0x00 FLOPPY: select rate register set to 0x00 fdc_ioport_write write reg 0x05 val 0x00 FLOPPY: fdctrl_write_data: 00 FLOPPY: VERIFY command FLOPPY: Calling handler for 'VERIFY' FLOPPY: Start transfer at 0 0 00 02 (1) FLOPPY: direction=5 (8704 - -512) FLOPPY: copy -512 bytes (-512 0 -512) 0 pos 0 00 (2-0x00000001 0x00000200) FLOPPY: copy 1 bytes (1 0 -512) 0 pos 0 00 (2-0x00000001 0x00000200) FLOPPY: end transfer 1 1 -512 FLOPPY: transfer status: 00 00 00 (00) FLOPPY: Set interrupt status to 0x00
Statement: This issue affects the version of `qemu-kvm` as shipped with Red Hat Enterprise Linux 8 and Red Hat Enterprise Linux 8 Advanced Virtualization. A future update may address this flaw.
Acknowledgments: Name: Alexander Bulekov
Created xen tracking bugs for this issue: Affects: fedora-all [bug 1960575]
Has this issue been forwarded to upstream?
In reply to comment #10: > Has this issue been forwarded to upstream? Yes, this was notified upstream. The patch should still be in the works. Hi John, iirc this was going to be addressed together with the NULL pointer issues tracked here: https://gitlab.com/qemu-project/qemu/-/issues/338. The fixes for those CVEs still need to be applied. Do you have any updates about this? Thanks. [1] CVE-2020-25741: https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg07779.html [2] CVE-2021-20196: https://lists.nongnu.org/archive/html/qemu-devel/2021-01/msg05986.html
(In reply to Mauro Matteo Cascella from comment #11) > In reply to comment #10: > > Has this issue been forwarded to upstream? > > Yes, this was notified upstream. The patch should still be in the works. > > Hi John, iirc this was going to be addressed together with the NULL pointer > issues tracked here: https://gitlab.com/qemu-project/qemu/-/issues/338. The > fixes for those CVEs still need to be applied. Do you have any updates about > this? Thanks. > > [1] CVE-2020-25741: > https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg07779.html > [2] CVE-2021-20196: > https://lists.nongnu.org/archive/html/qemu-devel/2021-01/msg05986.html Adding to my urgent list alongside the other AHCI and FDC bugs. Will report back soon. From memory, we have fixes but I was thinking that they would be re-sent to list, but they seem to have been lost in the shuffle. Allow me to track down where the ball got dropped and I'll push on these. --js
John/Jon - any news about this? We need to decide what to do on downstream RHEL-8.6 (there's also an -AV bug which I think it's moot but necessary due to the z-stream process) and RHEL-9
Kevin just merged Philippe's fix here: https://gitlab.com/qemu-project/qemu/-/commit/defac5e2fbddf8423a354ff0454283a2115e1367 https://gitlab.com/qemu-project/qemu/-/commit/46609b90d9e3a6304def11038a76b58ff43f77bc
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:7472 https://access.redhat.com/errata/RHSA-2022:7472
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:7967 https://access.redhat.com/errata/RHSA-2022:7967
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3507