Bug 1958978 (CVE-2021-3546) - CVE-2021-3546 QEMU: vhost-user-gpu: out-of-bounds write in virgl_cmd_get_capset()
Summary: CVE-2021-3546 QEMU: vhost-user-gpu: out-of-bounds write in virgl_cmd_get_caps...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2021-3546
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1959046 1959061
Blocks: 1957311 1959064
TreeView+ depends on / blocked
 
Reported: 2021-05-10 14:17 UTC by Mauro Matteo Cascella
Modified: 2021-10-29 09:03 UTC (History)
26 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds write vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU. The flaw occurs while processing the 'VIRTIO_GPU_CMD_GET_CAPSET' command from the guest. It could allow a privileged guest user to crash the QEMU process on the host, resulting in a denial of service condition, or potential code execution with the privileges of the QEMU process.
Clone Of:
Environment:
Last Closed: 2021-10-29 09:03:54 UTC
Embargoed:

Attachments (Terms of Use)

Description Mauro Matteo Cascella 2021-05-10 14:17:13 UTC 
An out-of-bounds write vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU. The flaw exists in virgl_cmd_get_capset() in contrib/vhost-user-gpu/virgl.c and could occur while processing the 'VIRTIO_GPU_CMD_GET_CAPSET' command. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.

This issue is analogous to CVE-2016-10028 in virtio-gpu-3d:
https://bugzilla.redhat.com/show_bug.cgi?id=1406367

Patch series:
https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg04536.html

OOB write in virgl_cmd_get_capset() in virgl.c:
https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg04542.html
Comment 3 Mauro Matteo Cascella 2021-05-10 16:02:29 UTC 
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1959046]
Comment 5 Mauro Matteo Cascella 2021-05-12 17:26:11 UTC 
Statement:

This issue does not affect the versions of `qemu-kvm` as shipped with Red Hat Enterprise Linux 6, 7 and 8, as Virgl was not enabled in these versions. Support for Virgl was enabled as technical preview in Red Hat Enterprise Linux Advanced Virtualization 8.2, and later disabled in Red Hat Enterprise Linux Advanced Virtualization 8.3.
Comment 6 Mauro Matteo Cascella 2021-05-12 17:29:19 UTC 
For more information about Virgl support in RHEL Advanced Virtualization, please refer to the following bugs:
* [RFE] Enable virgl as TechPreview (qemu) [bz#1559740]
* Drop virgil acceleration support and remove virglrenderer dependency [bz#1831271]
Comment 7 Mauro Matteo Cascella 2021-05-31 10:49:19 UTC 
Upstream commit:
https://gitlab.com/qemu-project/qemu/-/commit/9f22893a
Comment 8 Mauro Matteo Cascella 2021-06-15 10:34:38 UTC 
While QEMU is an essential component in virtualization environments, it is not intended to be used directly on RHEL 8 systems, due to security concerns. Therefore, using qemu-* commands is not supported by Red Hat, and it is highly recommended to interact with QEMU using libvirt. Several isolation mechanisms are available to realize guest isolation and the principle of least privilege. The fundamental isolation mechanism is that QEMU processes must run as unprivileged users. Also, the libvirtd daemon sets up additional sandbox around QEMU using SELinux and sVirt protection for QEMU VMs, which further limit the potential damage in case of guest-to-host escape scenario. The impact of this flaw is hence limited under such circumstances.
Note You need to log in before you can comment on or make changes to this bug.