Bug 1979858 (CVE-2021-3638) - CVE-2021-3638 QEMU: ati-vga: inconsistent check in ati_2d_blt() may lead to out-of-bounds write
Summary: CVE-2021-3638 QEMU: ati-vga: inconsistent check in ati_2d_blt() may lead to o...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2021-3638
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1979882
Blocks: 2003528 1978398
TreeView+ depends on / blocked
 
Reported: 2021-07-07 09:20 UTC by Mauro Matteo Cascella
Modified: 2022-03-03 07:12 UTC (History)
29 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds memory access flaw was found in the ATI VGA device emulation of QEMU. This flaw occurs in the ati_2d_blt() routine while handling MMIO write operations when the guest provides invalid values for the destination display parameters. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service.
Clone Of:
Environment:
Last Closed: 2021-07-07 10:40:48 UTC


Attachments (Terms of Use)

Description Mauro Matteo Cascella 2021-07-07 09:20:21 UTC
A flaw was found in the ATI VGA emulation of QEMU. An inconsistent check and use of dst_[x|y] and s->regs.dst_[x|y] may lead to out-of-bounds write of vram_ptr. This flaw occurs in the ati_2d_blt() routine while handling MMIO write operations from the guest. A malicious guest user could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.

Note: this is similar to CVE-2020-11869, CVE-2020-24352 and CVE-2020-27616.

Comment 2 Mauro Matteo Cascella 2021-07-07 10:22:29 UTC
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1979882]

Comment 4 Salvatore Bonaccorso 2021-09-03 13:11:54 UTC
Has this issue been forwarded/notified to upstream?

Comment 5 Mauro Matteo Cascella 2021-09-03 17:14:37 UTC
In reply to comment #4:
> Has this issue been forwarded/notified to upstream?

Yes, this was reported upstream via qemu-security mailing list. The impact of this CVE is very minimal as the ati-vga device is still experimental and not really meant to be used in production environments. This may be the reason why it's not been addressed so far. I'll reach out to QEMU maintainer(s) to ask if they have any feedback about this.

Thanks.

Comment 6 Philippe Mathieu-Daudé 2021-09-03 17:26:59 UTC
Could CVE-2021-3638 be fixed by this commit?

commit ca1f9cbfdce4d63b10d57de80fef89a89d92a540
Author: Prasad J Pandit <pjp@fedoraproject.org>
Date:   Wed Oct 21 16:08:18 2020 +0530

    ati: check x y display parameter values
    
    The source and destination x,y display parameters in ati_2d_blt()
    may run off the vga limits if either of s->regs.[src|dst]_[xy] is
    zero. Check the parameter values to avoid potential crash.
    
    Reported-by: Gaoning Pan <pgn@zju.edu.cn>
    Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
    Message-id: 20201021103818.1704030-1-ppandit@redhat.com
    Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

Comment 7 Mauro Matteo Cascella 2021-09-06 12:54:51 UTC
I don't think so, because that was the patch for CVE-2020-27616: https://bugzilla.redhat.com/show_bug.cgi?id=1894036#c0.
And it 's still possible to reproduce this issue with that patch applied.

Comment 8 Mauro Matteo Cascella 2021-09-09 09:28:22 UTC
Upstream patch:
https://lists.nongnu.org/archive/html/qemu-devel/2021-09/msg01682.html


Note You need to log in before you can comment on or make changes to this bug.