1997184 – (CVE-2021-3735) CVE-2021-3735 QEMU: ahci: deadlock issue leads to denial of service

Bug 1997184 (CVE-2021-3735) - CVE-2021-3735 QEMU: ahci: deadlock issue leads to denial of service

Summary: CVE-2021-3735 QEMU: ahci: deadlock issue leads to denial of service

Keywords:
Status:	NEW
Alias:	CVE-2021-3735
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1997217 1997213 1997214 1997215 1997216 1997218
Blocks:	1981414
TreeView+	depends on / blocked

Reported:	2021-08-24 14:59 UTC by Mauro Matteo Cascella
Modified:	2023-07-07 08:29 UTC (History)
CC List:	28 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A deadlock issue was found in the AHCI controller device of QEMU. It occurs on a software reset (ahci_reset_port) while handling a host-to-device Register FIS (Frame Information Structure) packet from the guest. A privileged user inside the guest could use this flaw to hang the QEMU process on the host, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Mauro Matteo Cascella 2021-08-24 14:59:07 UTC

A deadlock issue was found in the AHCI controller device (ich9-ahci) of QEMU while handling a host-to-device Register FIS (Frame Information Structure) packet from the guest. The bug is triggered on a software reset (ahci_reset_port) in the handle_reg_h2d_fis() function [1]. A privileged user inside the guest could use this flaw to hang the QEMU process on the host, resulting in a denial of service condition.

[1] https://github.com/qemu/qemu/blob/v6.1.0-rc4/hw/ide/ahci.c#L1215

Comment 2 Mauro Matteo Cascella 2021-08-24 16:05:53 UTC

Created qemu tracking bugs for this issue:

Affects: epel-7 [bug 1997217]
Affects: fedora-all [bug 1997215]

Comment 4 Salvatore Bonaccorso 2021-09-03 13:12:36 UTC

Has this issue been forwarde/notified to upstream?

Comment 5 Mauro Matteo Cascella 2021-09-03 16:38:39 UTC

In reply to comment #4:
> Has this issue been forwarde/notified to upstream?

Yes, this was reported via qemu-security mailing list. John Snow (IDE maintainer) is aware of it. John, do you happen to have any updates on this?

Note You need to log in before you can comment on or make changes to this bug.

berrange
carnil
cfergeau
crobinso
dbecker
jen
jferlan
jforbes
jjoyce
jmaloy
jschluet
jsnow
knoel
lhh
lkundrak
lpeer
m.a.young
mburns
mkenneth
mrezanin
mst
ondrejj
pbonzini
rjones
sclewis
slinaber
virt-maint
virt-maint