Bug 2020588 (CVE-2021-3930) - CVE-2021-3930 QEMU: off-by-one error in mode_sense_page() in hw/scsi/scsi-disk.c
Summary: CVE-2021-3930 QEMU: off-by-one error in mode_sense_page() in hw/scsi/scsi-disk.c
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-3930
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2020598 2020599 2020720 2020721 2020722 2020723 2025605 2025607 2025608
Blocks: 2020383
TreeView+ depends on / blocked
 
Reported: 2021-11-05 10:33 UTC by Mauro Matteo Cascella
Modified: 2022-01-11 17:00 UTC (History)
30 users (show)

Fixed In Version: qemu-kvm 6.2.0-rc0
Doc Type: If docs needed, set a value
Doc Text:
An off-by-one error was found in the SCSI device emulation in QEMU. It could occur while processing MODE SELECT commands in mode_sense_page() if the 'page' argument was set to MODE_PAGE_ALLS (0x3f). A malicious guest could use this flaw to potentially crash QEMU, resulting in a denial of service condition.
Clone Of:
Environment:
Last Closed: 2022-01-11 17:00:42 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:5065 0 None None None 2021-12-09 18:27:35 UTC
Red Hat Product Errata RHSA-2021:5238 0 None None None 2021-12-21 09:59:14 UTC
Red Hat Product Errata RHSA-2022:0081 0 None None None 2022-01-11 16:02:16 UTC

Description Mauro Matteo Cascella 2021-11-05 10:33:08 UTC
An off-by-one error was found in the SCSI Device emulation in QEMU. It could occur in hw/scsi/scsi-disk.c:mode_sense_page() while processing MODE SELECT commands if 'page' was set to MODE_PAGE_ALLS (0x3f). Specifically, 'page' was used to index the stack-allocated 'mode_sense_valid' buffer (size=0x3f), causing an off-by-one error when trying to access the last element. A malicious guest could use this flaw to potentially crash QEMU, resulting in a denial of service condition.

Comment 1 Mauro Matteo Cascella 2021-11-05 11:10:33 UTC
Created qemu tracking bugs for this issue:

Affects: epel-7 [bug 2020599]
Affects: fedora-all [bug 2020598]

Comment 2 Philippe Mathieu-Daudé 2021-11-05 11:32:02 UTC
I don't have access to bug 2020383, but from comment #0 the fix is likely:  
https://www.mail-archive.com/qemu-devel@nongnu.org/msg779652.html

Comment 4 Salvatore Bonaccorso 2021-11-06 07:45:14 UTC
(In reply to Philippe Mathieu-Daudé from comment #2)
> I don't have access to bug 2020383, but from comment #0 the fix is likely:  
> https://www.mail-archive.com/qemu-devel@nongnu.org/msg779652.html

That looks correct, because https://bugs.launchpad.net/qemu/+bug/1914638 is referenced which moved to https://gitlab.com/qemu-project/qemu/-/issues/546 and there Paolo mentioned the CVE assignment in https://gitlab.com/qemu-project/qemu/-/issues/546#note_725175813

Comment 5 Mauro Matteo Cascella 2021-11-08 19:10:12 UTC
This patch was eventually pulled and merged: https://lists.nongnu.org/archive/html/qemu-devel/2021-11/msg01896.html.

Upstream commit:
https://gitlab.com/qemu-project/qemu/-/commit/b3af7fdf9cc537f8f0dd3e2423d83f5c99a457e8

Comment 9 errata-xmlrpc 2021-12-09 18:27:32 UTC
This issue has been addressed in the following products:

  Advanced Virtualization for RHEL 8.4.0.EUS

Via RHSA-2021:5065 https://access.redhat.com/errata/RHSA-2021:5065

Comment 10 errata-xmlrpc 2021-12-21 09:59:11 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:5238 https://access.redhat.com/errata/RHSA-2021:5238

Comment 11 errata-xmlrpc 2022-01-11 16:02:12 UTC
This issue has been addressed in the following products:

  Advanced Virtualization for RHEL 8.5.0.Z

Via RHSA-2022:0081 https://access.redhat.com/errata/RHSA-2022:0081

Comment 12 Product Security DevOps Team 2022-01-11 17:00:39 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3930


Note You need to log in before you can comment on or make changes to this bug.