Bug 1973349 (CVE-2021-3607) - CVE-2021-3607 QEMU: pvrdma: unchecked malloc size due to integer overflow in init_dev_ring()
Summary: CVE-2021-3607 QEMU: pvrdma: unchecked malloc size due to integer overflow in ...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2021-3607
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1973352
Blocks: 1973400 1962562
TreeView+ depends on / blocked
 
Reported: 2021-06-17 16:40 UTC by Mauro Matteo Cascella
Modified: 2021-08-04 07:44 UTC (History)
27 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
An integer overflow was found in the QEMU implementation of VMWare's paravirtual RDMA device. The issue occurs while handling a "PVRDMA_REG_DSRHIGH" write from the guest due to improper input validation. This flaw allows a privileged guest user to make QEMU allocate a large amount of memory, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed: 2021-06-17 21:03:54 UTC


Attachments (Terms of Use)

Description Mauro Matteo Cascella 2021-06-17 16:40:23 UTC
An integer overflow was found in the QEMU implementation of VMWare's paravirtual RDMA device. It could occur while handling a "PVRDMA_REG_DSRHIGH" write from the guest due to improper input validation. More specifically, the init_dev_ring() function in pvrdma_main.c does not validate the guest supplied 'num_pages' which is subsequently decremented and used in pvrdma_ring_init() to allocate dynamic memory via g_malloc(). This could result in a NULL pointer dereference issue (if g_malloc returns NULL) or allocation of large amount of memory and out-of-bounds read access. A privileged guest user could exploit this flaw to crash the QEMU process on the host, resulting in a denial of service condition.

static int init_dev_ring(..., uint32_t num_pages) {
  ...
  rc = pvrdma_ring_init(..., (dma_addr_t)num_pages - 1); // guest may provide num_pages = 0
  ...
}

int pvrdma_ring_init(..., uint32_t npages) {
  ...
  ring->pages = g_malloc(npages * sizeof(void *)); // npages may be -1 here
  for (i = 0; i < npages; i++) {
    ...
    ring->pages[i] = rdma_pci_dma_map(dev, tbl[i], TARGET_PAGE_SIZE);
  ...
}

Comment 1 Mauro Matteo Cascella 2021-06-17 16:40:56 UTC
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1973352]

Comment 3 Product Security DevOps Team 2021-06-17 21:03:54 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3607

Comment 5 Mauro Matteo Cascella 2021-06-30 15:35:38 UTC
Upstream patch:
https://lists.gnu.org/archive/html/qemu-devel/2021-06/msg07925.html


Note You need to log in before you can comment on or make changes to this bug.