1973383 – (CVE-2021-3608) CVE-2021-3608 QEMU: pvrdma: uninitialized memory unmap in pvrdma_ring_init()

Bug 1973383 (CVE-2021-3608) - CVE-2021-3608 QEMU: pvrdma: uninitialized memory unmap in pvrdma_ring_init()

Summary: CVE-2021-3608 QEMU: pvrdma: uninitialized memory unmap in pvrdma_ring_init()

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2021-3608
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1973385
Blocks:	1962562 1973400
TreeView+	depends on / blocked

Reported:	2021-06-17 17:49 UTC by Mauro Matteo Cascella
Modified:	2022-02-16 09:46 UTC (History)
CC List:	27 users (show)
Fixed In Version:	qemu-kvm 6.1.0
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. The issue occurs while handling a "PVRDMA_REG_DSRHIGH" write from the guest and may result in a crash of QEMU or cause undefined behavior due to the access of an uninitialized pointer. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed:	2021-06-17 21:03:59 UTC
Embargoed:

Attachments	(Terms of Use)

Description Mauro Matteo Cascella 2021-06-17 17:49:57 UTC

A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. The flaw exists in the pvrdma_ring_init() function in hw/rdma/vmw/pvrdma_dev_ring.c and could occur while handling a "PVRDMA_REG_DSRHIGH" write from the guest. Due to improper initialization of the 'ring->pages' array, rdma_pci_dma_unmap() may be passed an uninitialized pointer as argument, leading to undefined behavior and possible crash of the QEMU process on the host.

Comment 1 Mauro Matteo Cascella 2021-06-17 17:54:08 UTC

Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1973385]

Comment 4 Product Security DevOps Team 2021-06-17 21:03:59 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3608

Comment 5 Mauro Matteo Cascella 2021-06-30 15:36:08 UTC

Upstream patch:
https://lists.gnu.org/archive/html/qemu-devel/2021-06/msg07926.html

Note You need to log in before you can comment on or make changes to this bug.

berrange
cfergeau
dbecker
jen
jferlan
jforbes
jjoyce
jmaloy
jschluet
knoel
lhh
lpeer
m.a.young
mburns
mkenneth
mrezanin
mst
ondrejj
pbonzini
philmd
ribarry
rjones
sclewis
slinaber
tuxmealux+redhatbz
virt-maint
virt-maint