An integer overflow was found in the QEMU implementation of VMWare's paravirtual RDMA device. It could occur while handling a "PVRDMA_REG_DSRHIGH" write from the guest due to improper input validation. More specifically, the init_dev_ring() function in pvrdma_main.c does not validate the guest supplied 'num_pages' which is subsequently decremented and used in pvrdma_ring_init() to allocate dynamic memory via g_malloc(). This could result in a NULL pointer dereference issue (if g_malloc returns NULL) or allocation of large amount of memory and out-of-bounds read access. A privileged guest user could exploit this flaw to crash the QEMU process on the host, resulting in a denial of service condition. static int init_dev_ring(..., uint32_t num_pages) { ... rc = pvrdma_ring_init(..., (dma_addr_t)num_pages - 1); // guest may provide num_pages = 0 ... } int pvrdma_ring_init(..., uint32_t npages) { ... ring->pages = g_malloc(npages * sizeof(void *)); // npages may be -1 here for (i = 0; i < npages; i++) { ... ring->pages[i] = rdma_pci_dma_map(dev, tbl[i], TARGET_PAGE_SIZE); ... }
Created qemu tracking bugs for this issue: Affects: fedora-all [bug 1973352]
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3607
Upstream patch: https://lists.gnu.org/archive/html/qemu-devel/2021-06/msg07925.html