2021869 – (CVE-2021-3947) CVE-2021-3947 QEMU: NVMe: out-of-bounds memory read in nvme_changed_nslist

Bug 2021869 (CVE-2021-3947) - CVE-2021-3947 QEMU: NVMe: out-of-bounds memory read in nvme_changed_nslist

Summary: CVE-2021-3947 QEMU: NVMe: out-of-bounds memory read in nvme_changed_nslist

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2021-3947
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2022084 2022085
Blocks:	2018537 2022398
TreeView+	depends on / blocked

Reported:	2021-11-10 11:13 UTC by msiddiqu
Modified:	2023-08-04 08:03 UTC (History)
CC List:	29 users (show)
Fixed In Version:	qemu-kvm 6.2.0-rc2
Doc Type:	If docs needed, set a value
Doc Text:	A stack-buffer-overflow was found in QEMU in the NVME component. The flaw lies in nvme_changed_nslist() where a malicious guest controlling certain input can read out of bounds memory. A malicious user could use this flaw leading to disclosure of sensitive information.
Clone Of:
Environment:
Last Closed:	2021-11-10 18:27:50 UTC
Embargoed:

Attachments	(Terms of Use)

Description msiddiqu 2021-11-10 11:13:12 UTC

A stack buffer overflow flaw was found in NVME in QEMU. The flaw lies in hw/nvme/ctrl.c:nvme_changed_nslist() where a variable named off (Log Page offset) is controlled by guest which if set to bigger than 4096 could lead to an integer underflow. Another variable buf_len can also be partially controlled by the guest which would lead to a stack buffer overflow. Since this flaw allows an attacker to read out of bounds memory it could lead to disclosure of sensitive information.

Comment 1 gkamathe 2021-11-10 18:04:47 UTC

Created qemu tracking bugs for this issue:

Affects: epel-7 [bug 2022084]
Affects: fedora-all [bug 2022085]

Comment 4 Philippe Mathieu-Daudé 2021-11-11 15:47:13 UTC

(In reply to msiddiqu from comment #0)
> A stack overflow flaw was found in NVME in QEMU. The flaw lies in
> hw/nvme/ctrl.c:nvme_changed_nslist() where a variable named off (Log Page
> offset) is controlled by guest which if set to bigger than 4096 could lead
> to an integer underflow. Another variable buf_len can also be partially
> controlled by the guest which would lead to a stack buffer overflow. Since
> this flaw allows an attacker to read out of bounds memory it could lead to
> disclosure of sensitive information.

Proposed upstream patch:
https://lore.kernel.org/qemu-devel/20211111153125.2258176-1-philmd@redhat.com/

Comment 8 Philippe Mathieu-Daudé 2021-11-17 15:46:16 UTC

Likely final upstream fix (v3):
https://lore.kernel.org/qemu-devel/20211117132335.41850-1-its@irrelevant.dk/

Comment 10 Philippe Mathieu-Daudé 2021-11-19 12:37:37 UTC

Fixed upstream by https://gitlab.com/qemu-project/qemu/-/commit/e2c57529c9306e4

Note You need to log in before you can comment on or make changes to this bug.

berrange
cfergeau
crobinso
dbecker
jen
jferlan
jforbes
jjoyce
jmaloy
jschluet
knoel
lhh
lkundrak
lpeer
m.a.young
mburns
mkenneth
mrezanin
mst
ondrejj
pbonzini
philmd
ribarry
rjones
sclewis
security-response-team
slinaber
virt-maint
virt-maint