Bug 2020298 (CVE-2021-3929) - CVE-2021-3929 QEMU: nvme: DMA reentrancy issue leads to use-after-free
Summary: CVE-2021-3929 QEMU: nvme: DMA reentrancy issue leads to use-after-free
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2021-3929
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2066083
Blocks: 1997699 2020565
TreeView+ depends on / blocked
 
Reported: 2021-11-04 14:38 UTC by Mauro Matteo Cascella
Modified: 2022-03-24 17:00 UTC (History)
29 users (show)

Fixed In Version: qemu-kvm 7.0.0-rc0
Doc Type: If docs needed, set a value
Doc Text:
A DMA reentrancy issue was found in the NVM Express Controller (NVME) emulation in QEMU. This CVE is similar to CVE-2021-3750 and, just like it, when the reentrancy write triggers the reset function nvme_ctrl_reset(), data structs will be freed leading to a use-after-free issue. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition or, potentially, executing arbitrary code within the context of the QEMU process on the host.
Clone Of:
Environment:
Last Closed: 2021-12-16 18:55:57 UTC


Attachments (Terms of Use)

Description Mauro Matteo Cascella 2021-11-04 14:38:06 UTC
A DMA reentrancy issue was found in the NVM Express Controller emulation in QEMU. Functions dma_buf_write() or dma_buf_read() in hw/nvme/ctrl.c:nvme_tx() can be called without checking if the destination region overlaps with device's MMIO. This flaw is similar to CVE-2021-3750 and just like CVE-2021-3750, when the reentrancy write triggers the reset function nvme_ctrl_reset(), data structs will be freed leading to a use-after-free issue. This is easier to exploit, though, because the attacker can trigger the free operations precisely and the freed object contains a timer pointer that can be leveraged by the attacker. A malicious guest could use this issue to crash QEMU, resulting in a denial of service condition, or potentially execute arbitrary code within the context of the QEMU process on the host.

Upstream issues:
https://gitlab.com/qemu-project/qemu/-/issues/782
https://gitlab.com/qemu-project/qemu/-/issues/556

Comment 4 Product Security DevOps Team 2021-12-16 18:55:54 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3929

Comment 5 Mauro Matteo Cascella 2021-12-17 11:38:02 UTC
In reply to comment #0:
> A malicious guest could use this issue to crash QEMU, resulting in a denial 
> of service condition, or potentially execute arbitrary code within the
> context of the QEMU process on the host.

While QEMU is an essential component in virtualization environments, it is not intended to be used directly on RHEL due to security concerns. In other words, using `qemu-kvm` commands is not currently supported by Red Hat (https://access.redhat.com/solutions/408653). It is highly recommended to interact with QEMU using libvirt, which provides several isolation mechanisms to realize guest isolation and the principle of least privilege. For example, the fundamental isolation mechanism is that QEMU processes on the host are run as unprivileged users. Also, the libvirtd daemon sets up additional sandbox around QEMU by leveraging SELinux and sVirt protection for QEMU guests, which further limits the potential damage in case of guest-to-host escape scenario. The impact of this flaw is limited (Moderate) under such circumstances.

Comment 6 Mauro Matteo Cascella 2021-12-17 11:40:44 UTC
For a *very good* description of this class of bugs, see this post by Peter Maydell: https://lists.nongnu.org/archive/html/qemu-devel/2021-08/msg03927.html.

Comment 8 Mauro Matteo Cascella 2021-12-17 11:53:25 UTC
Reproducer from upstream issue #782: https://gitlab.com/qemu-project/qemu/-/issues/782#reproducer.

Comment 9 Mauro Matteo Cascella 2022-03-20 15:19:26 UTC
Upstream commit:
https://gitlab.com/qemu-project/qemu/-/commit/736b01642d85be832385

Comment 10 Mauro Matteo Cascella 2022-03-20 15:30:46 UTC
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 2066083]


Note You need to log in before you can comment on or make changes to this bug.