A flaw was found in the USB redirector device (usb-redir) of QEMU. It occurs when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. More specifically, the usbredir_buffered_bulk_packet() function calls bufp_alloc() with an invalid pointer that points into the middle of a buffer controlled by the SPICE client. If the packet queue is full, bufp_alloc() ends up freeing the same pointer passed as argument. A malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata, resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the host. Upstream issue: https://gitlab.com/qemu-project/qemu/-/issues/491 Upstream fix: https://gitlab.com/qemu-project/qemu/-/commit/5e796671e6b8d5de4b0b423dce1b3eba144a92c9
Different types of USB transfers (Interrupt, Isochronous and Bulk transfers) lead to bufp_alloc(). Gerd Hoffmann pointed out that the "drop packets" logic in bufp_alloc() is meant for Isochronous endpoints. As described in the previous comment, the invalid pointer comes from the Bulk endpoint code path, and Bulk transfers should in theory never drop packets. However, there is a (rather high) limit of 5000 packets set for Bulk endpoints, so in practice it might be possible to end up in the "drop packets" code path even with bulk endpoints when spice-client tries to send a huge jumbo-packet.
Seems like this issue dates back to qemu-1.4.0 when support for buffered bulk input was first introduced: https://gitlab.com/qemu-project/qemu/-/commit/b2d1fe67d09d2b6c7da647fbcea6ca0148c206d3
Created qemu tracking bugs for this issue: Affects: epel-7 [bug 1989934] Affects: fedora-all [bug 1989933]
Note that the SPICE client needs to get past authentication to try exploiting this flaw.
While QEMU is an essential component in virtualization environments, it is not intended to be used directly on RHEL 8 systems, due to security concerns. In other words, using qemu-kvm commands is not currently supported by Red Hat. It is highly recommended to interact with QEMU using libvirt, which provides several isolation mechanisms to realize guest isolation and the principle of least privilege. For example, the fundamental isolation mechanism is that QEMU processes on the host are run as unprivileged users. Also, the libvirtd daemon sets up additional sandbox around QEMU by leveraging SELinux and sVirt protection for QEMU guests, which further limit the potential damage in case of guest-to-host escape scenario.
In reply to comment #8: > While QEMU is an essential component in virtualization environments, it is > not intended to be used directly on RHEL 8 systems, due to security > concerns. In other words, using qemu-kvm commands is not currently supported > by Red Hat. It is highly recommended to interact with QEMU using libvirt, > which provides several isolation mechanisms to realize guest isolation and > the principle of least privilege. For example, the fundamental isolation > mechanism is that QEMU processes on the host are run as unprivileged users. > Also, the libvirtd daemon sets up additional sandbox around QEMU by > leveraging SELinux and sVirt protection for QEMU guests, which further limit > the potential damage in case of guest-to-host escape scenario. The impact of this flaw is limited (Moderate) under such circumstances.
(In reply to Mauro Matteo Cascella from comment #8) > concerns. In other words, using qemu-kvm commands is not currently supported > by Red Hat. It is highly recommended to interact with QEMU using libvirt, I understand the highly-recommended part, but not sure if I agree with the currently not supported part. Where is that documented?
https://access.redhat.com/solutions/408653
This issue has been addressed in the following products: Advanced Virtualization for RHEL 8.4.0.Z Via RHSA-2021:3703 https://access.redhat.com/errata/RHSA-2021:3703
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3682
This issue has been addressed in the following products: Advanced Virtualization for RHEL 8.2.1 Via RHSA-2021:3704 https://access.redhat.com/errata/RHSA-2021:3704