A DMA reentrancy issue was found in the NVM Express Controller emulation in QEMU. Functions dma_buf_write() or dma_buf_read() in hw/nvme/ctrl.c:nvme_tx() can be called without checking if the destination region overlaps with device's MMIO. This flaw is similar to CVE-2021-3750 and just like CVE-2021-3750, when the reentrancy write triggers the reset function nvme_ctrl_reset(), data structs will be freed leading to a use-after-free issue. This is easier to exploit, though, because the attacker can trigger the free operations precisely and the freed object contains a timer pointer that can be leveraged by the attacker. A malicious guest could use this issue to crash QEMU, resulting in a denial of service condition, or potentially execute arbitrary code within the context of the QEMU process on the host. Upstream issues: https://gitlab.com/qemu-project/qemu/-/issues/782 https://gitlab.com/qemu-project/qemu/-/issues/556
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3929
In reply to comment #0: > A malicious guest could use this issue to crash QEMU, resulting in a denial > of service condition, or potentially execute arbitrary code within the > context of the QEMU process on the host. While QEMU is an essential component in virtualization environments, it is not intended to be used directly on RHEL due to security concerns. In other words, using `qemu-kvm` commands is not currently supported by Red Hat (https://access.redhat.com/solutions/408653). It is highly recommended to interact with QEMU using libvirt, which provides several isolation mechanisms to realize guest isolation and the principle of least privilege. For example, the fundamental isolation mechanism is that QEMU processes on the host are run as unprivileged users. Also, the libvirtd daemon sets up additional sandbox around QEMU by leveraging SELinux and sVirt protection for QEMU guests, which further limits the potential damage in case of guest-to-host escape scenario. The impact of this flaw is limited (Moderate) under such circumstances.
For a *very good* description of this class of bugs, see this post by Peter Maydell: https://lists.nongnu.org/archive/html/qemu-devel/2021-08/msg03927.html.
Reproducer from upstream issue #782: https://gitlab.com/qemu-project/qemu/-/issues/782#reproducer.
Upstream commit: https://gitlab.com/qemu-project/qemu/-/commit/736b01642d85be832385
Created qemu tracking bugs for this issue: Affects: fedora-all [bug 2066083]