Bug 1998514 (CVE-2021-3748) - CVE-2021-3748 QEMU: virtio-net: heap use-after-free in virtio_net_receive_rcu
Summary: CVE-2021-3748 QEMU: virtio-net: heap use-after-free in virtio_net_receive_rcu
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-3748
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1999212 1999211 1999213 1999221 1999222 1999223 1999224 2014569
Blocks: 1997966 2003975
TreeView+ depends on / blocked
 
Reported: 2021-08-27 12:54 UTC by Mauro Matteo Cascella
Modified: 2023-01-03 17:27 UTC (History)
30 users (show)

Fixed In Version: qemu-kvm 6.2.0
Doc Type: If docs needed, set a value
Doc Text:
A use-after-free vulnerability was found in the virtio-net device of QEMU. It could occur when the descriptor's address belongs to the non direct access region, due to num_buffers being set after the virtqueue elem has been unmapped. A malicious guest could use this flaw to crash QEMU, resulting in a denial of service condition, or potentially execute code on the host with the privileges of the QEMU process.
Clone Of:
Environment:
Last Closed: 2021-11-03 14:07:47 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:4112 0 None None None 2021-11-03 08:47:17 UTC
Red Hat Product Errata RHSA-2021:5036 0 None None None 2021-12-08 18:51:42 UTC
Red Hat Product Errata RHSA-2022:1759 0 None None None 2022-05-10 13:16:48 UTC

Description Mauro Matteo Cascella 2021-08-27 12:54:17 UTC
OSS-Fuzz found a use-after-free vulnerability in virtio-net. It occurs in the virtio_net_receive_rcu function (hw/net/virtio-net.c) under these conditions:

1) the (malicious) driver tries to add a non direct memory region as the buffer address
2) then memory core needs to use the bounce buffer
3) virtio-net tries to set the num_buffers *after* the iov is unmapped (bounce buffer is freed)

A malicious guest could use this flaw to crash QEMU, resulting in a denial of service condition, or potentially execute code on the host with the privileges of the QEMU process.

Upstream patch & commit:
https://lists.nongnu.org/archive/html/qemu-devel/2021-09/msg00388.html
https://gitlab.com/qemu-project/qemu/-/commit/bedd7e93d01961fcb16a97ae45d93acf357e11f6

Comment 4 Gianluca Gabrielli 2021-08-30 14:08:33 UTC
Hi Mauro,

Could you please confirm if the described use-after-free is related to this [0] upstream bug?

Cheers,
Gianluca

[0] https://gitlab.com/qemu-project/qemu/-/issues/535

Comment 5 Mauro Matteo Cascella 2021-08-30 16:09:39 UTC
Hi Gianluca,

(In reply to Gianluca Gabrielli from comment #4)
> Hi Mauro,
> 
> Could you please confirm if the described use-after-free is related to this
> [0] upstream bug?
> 
> Cheers,
> Gianluca
> 
> [0] https://gitlab.com/qemu-project/qemu/-/issues/535

At first glance it doesn't seem to be related: this is a virtio-net specific issue while the assertion failure in #535 is triggered via e1000e. iov_from_buf_full is involved in both cases, but I think they are different issues.

Note: bug summary and comment#0 were edited to make it clear that this originates from virtio_net_receive_rcu (virtio-net).

Comment 6 Mauro Matteo Cascella 2021-08-30 17:38:24 UTC
Created qemu tracking bugs for this issue:

Affects: epel-7 [bug 1999212]
Affects: fedora-all [bug 1999211]


Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1999213]

Comment 8 Salvatore Bonaccorso 2021-09-03 13:14:18 UTC
(In reply to Mauro Matteo Cascella from comment #5)
> Hi Gianluca,
> 
> (In reply to Gianluca Gabrielli from comment #4)
> > Hi Mauro,
> > 
> > Could you please confirm if the described use-after-free is related to this
> > [0] upstream bug?
> > 
> > Cheers,
> > Gianluca
> > 
> > [0] https://gitlab.com/qemu-project/qemu/-/issues/535
> 
> At first glance it doesn't seem to be related: this is a virtio-net specific
> issue while the assertion failure in #535 is triggered via e1000e.
> iov_from_buf_full is involved in both cases, but I think they are different
> issues.
> 
> Note: bug summary and comment#0 were edited to make it clear that this
> originates from virtio_net_receive_rcu (virtio-net).

Following up on that, as this is not the same as #535, do you know if this was
reported upstream to qemu?

Regards,
Salvatore

Comment 9 Mauro Matteo Cascella 2021-09-03 15:00:26 UTC
Hi Salvatore,

In reply to comment #8:
> Following up on that, as this is not the same as #535, do you know if this
> was reported upstream to qemu?

This was reported via qemu-security mailing list (https://www.qemu.org/contribute/security-process). As far as I can see, no upstream issue was created for this. The CVE is mentioned in the upstream patch by Jason Wang, though (see comment#0).

Comment 11 Mauro Matteo Cascella 2021-09-09 18:06:15 UTC
In reply to comment #0:
> A malicious guest could use this flaw to crash QEMU, resulting in a denial
> of service condition, or potentially execute code on the host with the
> privileges of the QEMU process.

While QEMU is an essential component in virtualization environments, it is not intended to be used directly on RHEL 8 systems due to security concerns. In other words, using qemu-kvm commands is not currently supported by Red Hat (https://access.redhat.com/solutions/408653). It is highly recommended to interact with QEMU by using libvirt, which provides several isolation mechanisms to realize guest isolation and the principle of least privilege. For example, the fundamental isolation mechanism is that QEMU processes on the host are run as unprivileged users. Also, the libvirtd daemon sets up additional sandbox around QEMU by leveraging SELinux and sVirt protection for QEMU guests, which further limits the potential damage in case of guest-to-host escape scenario. The impact of this flaw is limited (Moderate) under such circumstances.

Comment 14 errata-xmlrpc 2021-11-03 08:47:14 UTC
This issue has been addressed in the following products:

  Advanced Virtualization for RHEL 8.4.0.Z

Via RHSA-2021:4112 https://access.redhat.com/errata/RHSA-2021:4112

Comment 15 Product Security DevOps Team 2021-11-03 14:07:47 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3748

Comment 16 errata-xmlrpc 2021-12-08 18:51:39 UTC
This issue has been addressed in the following products:

  Advanced Virtualization for RHEL 8.2.1

Via RHSA-2021:5036 https://access.redhat.com/errata/RHSA-2021:5036

Comment 17 errata-xmlrpc 2022-05-10 13:16:45 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1759 https://access.redhat.com/errata/RHSA-2022:1759

Comment 18 Mauro Matteo Cascella 2022-12-23 08:55:41 UTC
Upstream commit:
https://gitlab.com/qemu-project/qemu/-/commit/bedd7e93d01961fcb16a97ae45d93acf357e11f6


Note You need to log in before you can comment on or make changes to this bug.