1922441 – (CVE-2021-20203) CVE-2021-20203 qemu: Failed malloc in vmxnet3_activate_device() in hw/net/vmxnet3.c

Bug 1922441 (CVE-2021-20203) - CVE-2021-20203 qemu: Failed malloc in vmxnet3_activate_device() in hw/net/vmxnet3.c

Summary: CVE-2021-20203 qemu: Failed malloc in vmxnet3_activate_device() in hw/net/vmx...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2021-20203
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1922719
Blocks:	1905617
TreeView+	depends on / blocked

Reported:	2021-01-29 17:55 UTC by Pedro Sampaio
Modified:	2021-11-19 12:34 UTC (History)
CC List:	27 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	An integer overflow flaw was found in the vmxnet3 NIC emulator of QEMU. This issue occurs when a guest supplies invalid values for the rx/tx queue size or other NIC parameters. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service.
Clone Of:
Environment:
Last Closed:	2021-01-31 08:41:42 UTC
Embargoed:

Attachments	(Terms of Use)

Description Pedro Sampaio 2021-01-29 17:55:15 UTC

An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU. It may occur if a guest was to supply invalid values for rx/tx queue size or other NIC parameters. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario.

Upstream patch:
---------------
  -> https://lists.gnu.org/archive/html/qemu-devel/2021-01/msg07935.html

Comment 1 Prasad Pandit 2021-01-31 04:21:46 UTC

Acknowledgments:

Name: Gaoning Pan (Zhejiang University & Ant Security Light-Year Lab)

Comment 2 Prasad Pandit 2021-01-31 04:21:50 UTC

Statement:

This issue does not affect the versions of the qemu-kvm package as shipped with Red Hat Enterprise Linux 5, 6, 7 and 8.

Comment 3 Prasad Pandit 2021-01-31 04:21:53 UTC

External References:

https://bugs.launchpad.net/qemu/+bug/1913873

Comment 4 Prasad Pandit 2021-01-31 04:28:42 UTC

Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1922719]

Comment 5 Product Security DevOps Team 2021-01-31 08:41:42 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-20203

Comment 8 Philippe Mathieu-Daudé 2021-11-19 12:34:19 UTC

Fixed by https://gitlab.com/qemu-project/qemu/-/commit/d05dcd94aee88

Note You need to log in before you can comment on or make changes to this bug.

ailan
berrange
cfergeau
drjones
imammedo
itamar
jen
jferlan
jforbes
jmaloy
knoel
m.a.young
mkenneth
mrezanin
mst
ondrejj
pbonzini
philmd
ppandit
ribarry
rjones
robinlee.sysu
security-response-team
virt-maint
virt-maint
vkuznets
xen-maint