Bug 1994640 (CVE-2021-3713) - CVE-2021-3713 QEMU: out-of-bounds write in UAS (USB Attached SCSI) device emulation
Summary: CVE-2021-3713 QEMU: out-of-bounds write in UAS (USB Attached SCSI) device emu...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2021-3713
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1994644 1994641
Blocks: 1989261 1994689
TreeView+ depends on / blocked
 
Reported: 2021-08-17 15:35 UTC by Mauro Matteo Cascella
Modified: 2021-08-23 11:07 UTC (History)
28 users (show)

Fixed In Version: qemu 6.2.0-rc0
Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds write flaw was found in the UAS (USB Attached SCSI) device emulation of QEMU. The device uses the guest supplied stream number unchecked, which can lead to out-of-bounds access to the UASDevice->data3 and UASDevice->status3 fields. A malicious guest user could use this flaw to crash QEMU or potentially achieve code execution with the privileges of the QEMU process on the host.
Clone Of:
Environment:
Last Closed: 2021-08-17 19:28:10 UTC
Embargoed:


Attachments (Terms of Use)

Description Mauro Matteo Cascella 2021-08-17 15:35:48 UTC
An out-of-bounds write issue was found in the UAS (USB Attached SCSI) device emulation of QEMU. It occurs due to missing sanity checks in the usb_uas_handle_data() function in hw/usb/dev-uas.c. In particular, the device uses the guest-supplied stream number unchecked, which can lead to guest-triggered out-of-bounds access to the UASDevice->data3 and UASDevice->status3 fields.

Upstream fix:
https://lists.nongnu.org/archive/html/qemu-devel/2021-08/msg02766.html

Comment 1 Mauro Matteo Cascella 2021-08-17 15:36:17 UTC
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1994641]

Comment 2 Mauro Matteo Cascella 2021-08-17 15:44:28 UTC
Created qemu tracking bugs for this issue:

Affects: epel-7 [bug 1994644]

Comment 4 Mauro Matteo Cascella 2021-08-17 16:24:03 UTC
From Gerd Hoffmann - USB maintainer:

The UAS (usb attached scsi) device emulation is not in widespread use, the classic usb storage device using the BOT (Bulk Only transport) protocol is much more popular and the only device supported by libvirt.

Also note that in RHEL the UAS device is not enabled.

Comment 5 Product Security DevOps Team 2021-08-17 19:28:10 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3713

Comment 6 Mauro Matteo Cascella 2021-08-23 11:07:41 UTC
Looks like this issue was introduced in QEMU v1.5.0 via commit:
https://gitlab.com/qemu-project/qemu/-/commit/89a453d4a5c195e6d0a3c3d4fcaacb447447115f


Note You need to log in before you can comment on or make changes to this bug.