Bug 1989651 (CVE-2021-3682) - CVE-2021-3682 QEMU: usbredir: free() call on invalid pointer in bufp_alloc()
Summary: CVE-2021-3682 QEMU: usbredir: free() call on invalid pointer in bufp_alloc()
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-3682
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1989928 1989933 1989934 1989924 1989925 1989926 1989927 1996133
Blocks: 1986089 1990106
TreeView+ depends on / blocked
 
Reported: 2021-08-03 16:37 UTC by Mauro Matteo Cascella
Modified: 2021-09-30 19:01 UTC (History)
29 users (show)

Fixed In Version: qemu 6.1.0-rc2
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the USB redirector device emulation of QEMU. It occurs when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata, resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the host.
Clone Of:
Environment:
Last Closed: 2021-09-30 18:21:15 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:3703 0 None None None 2021-09-30 16:54:11 UTC
Red Hat Product Errata RHSA-2021:3704 0 None None None 2021-09-30 19:01:53 UTC

Description Mauro Matteo Cascella 2021-08-03 16:37:52 UTC
A flaw was found in the USB redirector device (usb-redir) of QEMU. It occurs when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. More specifically, the usbredir_buffered_bulk_packet() function calls bufp_alloc() with an invalid pointer that points into the middle of a buffer controlled by the SPICE client. If the packet queue is full, bufp_alloc() ends up freeing the same pointer passed as argument. A malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata, resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the host.

Upstream issue:
https://gitlab.com/qemu-project/qemu/-/issues/491

Upstream fix:
https://gitlab.com/qemu-project/qemu/-/commit/5e796671e6b8d5de4b0b423dce1b3eba144a92c9

Comment 2 Mauro Matteo Cascella 2021-08-03 18:07:56 UTC
Different types of USB transfers (Interrupt, Isochronous and Bulk transfers) lead to bufp_alloc(). Gerd Hoffmann pointed out that the "drop packets" logic in bufp_alloc() is meant for Isochronous endpoints. As described in the previous comment, the invalid pointer comes from the Bulk endpoint code path, and Bulk transfers should in theory never drop packets. However, there is a (rather high) limit of 5000 packets set for Bulk endpoints, so in practice it might be possible to end up in the "drop packets" code path even with bulk endpoints when spice-client tries to send a huge jumbo-packet.

Comment 3 Mauro Matteo Cascella 2021-08-04 10:43:29 UTC
Seems like this issue dates back to qemu-1.4.0 when support for buffered bulk input was first introduced:
https://gitlab.com/qemu-project/qemu/-/commit/b2d1fe67d09d2b6c7da647fbcea6ca0148c206d3

Comment 5 Mauro Matteo Cascella 2021-08-04 11:05:48 UTC
Created qemu tracking bugs for this issue:

Affects: epel-7 [bug 1989934]
Affects: fedora-all [bug 1989933]

Comment 7 Mauro Matteo Cascella 2021-08-05 08:25:42 UTC
Note that the SPICE client needs to get past authentication to try exploiting this flaw.

Comment 8 Mauro Matteo Cascella 2021-08-17 10:09:11 UTC
While QEMU is an essential component in virtualization environments, it is not intended to be used directly on RHEL 8 systems, due to security concerns. In other words, using qemu-kvm commands is not currently supported by Red Hat. It is highly recommended to interact with QEMU using libvirt, which provides several isolation mechanisms to realize guest isolation and the principle of least privilege. For example, the fundamental isolation mechanism is that QEMU processes on the host are run as unprivileged users. Also, the libvirtd daemon sets up additional sandbox around QEMU by leveraging SELinux and sVirt protection for QEMU guests, which further limit the potential damage in case of guest-to-host escape scenario.

Comment 9 Mauro Matteo Cascella 2021-08-17 10:14:02 UTC
In reply to comment #8:
> While QEMU is an essential component in virtualization environments, it is
> not intended to be used directly on RHEL 8 systems, due to security
> concerns. In other words, using qemu-kvm commands is not currently supported
> by Red Hat. It is highly recommended to interact with QEMU using libvirt,
> which provides several isolation mechanisms to realize guest isolation and
> the principle of least privilege. For example, the fundamental isolation
> mechanism is that QEMU processes on the host are run as unprivileged users.
> Also, the libvirtd daemon sets up additional sandbox around QEMU by
> leveraging SELinux and sVirt protection for QEMU guests, which further limit
> the potential damage in case of guest-to-host escape scenario.

The impact of this flaw is limited (Moderate) under such circumstances.

Comment 10 Klaus Heinrich Kiwi 2021-08-17 11:58:48 UTC
(In reply to Mauro Matteo Cascella from comment #8)

> concerns. In other words, using qemu-kvm commands is not currently supported
> by Red Hat. It is highly recommended to interact with QEMU using libvirt,

I understand the highly-recommended part, but not sure if I agree with the currently not supported part. Where is that documented?

Comment 11 Richard W.M. Jones 2021-08-17 12:34:38 UTC
https://access.redhat.com/solutions/408653

Comment 13 errata-xmlrpc 2021-09-30 16:54:08 UTC
This issue has been addressed in the following products:

  Advanced Virtualization for RHEL 8.4.0.Z

Via RHSA-2021:3703 https://access.redhat.com/errata/RHSA-2021:3703

Comment 14 Product Security DevOps Team 2021-09-30 18:21:15 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3682

Comment 15 errata-xmlrpc 2021-09-30 19:01:50 UTC
This issue has been addressed in the following products:

  Advanced Virtualization for RHEL 8.2.1

Via RHSA-2021:3704 https://access.redhat.com/errata/RHSA-2021:3704


Note You need to log in before you can comment on or make changes to this bug.