Bug 1999073 (CVE-2021-3750) - CVE-2021-3750 QEMU: hcd-ehci: DMA reentrancy issue leads to use-after-free
Summary: CVE-2021-3750 QEMU: hcd-ehci: DMA reentrancy issue leads to use-after-free
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-3750
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1999235 1999234 1999236 1999237 1999238 1999239 2075686
Blocks: 1997699 1999253
TreeView+ depends on / blocked
 
Reported: 2021-08-30 11:06 UTC by Mauro Matteo Cascella
Modified: 2023-11-21 02:41 UTC (History)
27 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A DMA reentrancy issue was found in the USB EHCI controller emulation of QEMU. EHCI does not verify if the Buffer Pointer overlaps with its MMIO region when it transfers the USB packets. Crafted content may be written to the controller's registers and trigger undesirable actions (such as reset) while the device is still transferring packets. This can ultimately lead to a use-after-free issue. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition, or potentially execute arbitrary code within the context of the QEMU process on the host.
Clone Of:
Environment:
Last Closed: 2022-12-04 23:04:04 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:7967 0 None None None 2022-11-15 09:50:03 UTC
Red Hat Product Errata RHSA-2023:6980 0 None None None 2023-11-14 15:18:20 UTC

Description Mauro Matteo Cascella 2021-08-30 11:06:41 UTC 
A DMA reentrancy issue was found in the EHCI controller emulation of QEMU. From https://gitlab.com/qemu-project/qemu/-/issues/541:

"""
When EHCI tries to transfer the USB packets, it doesn't check if the Buffer Pointer is overlapped with its MMIO region. So crafted content may be written to the controller's registers and trigger actions like reset, but the device is still transferring packets.
"""

This flaw could enable a malicious guest to crash QEMU, resulting in a denial of service condition, or potentially execute arbitrary code within the context of the QEMU process on the host. For more information (stack trace, reproducer) see the aforementioned upstream issue.
Comment 2 Mauro Matteo Cascella 2021-08-30 11:08:14 UTC 
A fix is in the works for the whole class of DMA MMIO reentrancy issues:
https://gitlab.com/qemu-project/qemu/-/issues/556

Patchset by Philippe Mathieu-Daudé:
https://lists.nongnu.org/archive/html/qemu-devel/2021-08/msg03692.html
Comment 3 Mauro Matteo Cascella 2021-08-30 17:50:27 UTC 
Created qemu tracking bugs for this issue:

Affects: epel-7 [bug 1999235]
Affects: fedora-all [bug 1999234]
Comment 5 Mauro Matteo Cascella 2021-09-10 13:55:04 UTC 
In reply to comment #0:
> This flaw could enable a malicious guest to crash QEMU, resulting in a
> denial of service condition, or potentially execute arbitrary code within
> the context of the QEMU process on the host.

While QEMU is an essential component in virtualization environments, it is not intended to be used directly on RHEL 8 systems due to security concerns. In other words, using qemu-kvm commands is not currently supported by Red Hat (https://access.redhat.com/solutions/408653). It is highly recommended to interact with QEMU by using libvirt, which provides several isolation mechanisms to realize guest isolation and the principle of least privilege. For example, the fundamental isolation mechanism is that QEMU processes on the host are run as unprivileged users. Also, the libvirtd daemon sets up additional sandbox around QEMU by leveraging SELinux and sVirt protection for QEMU guests, which further limits the potential damage in case of guest-to-host escape scenario. The impact of this flaw is limited (Moderate) under such circumstances.
Comment 6 Mauro Matteo Cascella 2021-09-10 14:04:27 UTC 
For a *very good* description of this class of bugs, see this post by Peter Maydell: https://lists.nongnu.org/archive/html/qemu-devel/2021-08/msg03927.html.
Comment 8 Mauro Matteo Cascella 2021-12-17 11:49:14 UTC 
In reply to comment #2:
> Patchset by Philippe Mathieu-Daudé:
> https://lists.nongnu.org/archive/html/qemu-devel/2021-08/msg03692.html

Updated version:
https://lists.nongnu.org/archive/html/qemu-devel/2021-12/msg02356.html
Comment 12 John Ferlan 2022-03-28 11:56:25 UTC 
(In reply to Mauro Matteo Cascella from comment #8)
> In reply to comment #2:
> > Patchset by Philippe Mathieu-Daudé:
> > https://lists.nongnu.org/archive/html/qemu-devel/2021-08/msg03692.html
> 
> Updated version:
> https://lists.nongnu.org/archive/html/qemu-devel/2021-12/msg02356.html

Looks like patches from this series have landed in qemu-7.0:

1/3: 2c89b5af5e72ab8c9d544c6e30399528b2238827
2/3: 58e74682baf4e1ad26b064d8c02e5bc99c75c5d9
3/3: 3ab6fdc91b72e156da22848f0003ff4225690ced
Comment 14 errata-xmlrpc 2022-11-15 09:50:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:7967 https://access.redhat.com/errata/RHSA-2022:7967
Comment 15 Product Security DevOps Team 2022-12-04 23:04:01 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3750
Comment 16 Mauro Matteo Cascella 2023-04-30 17:05:45 UTC 
This was eventually fixed via commit https://gitlab.com/qemu-project/qemu/-/commit/a2e1753b8054344f32cf94f31c6399a58794a380.
Comment 17 errata-xmlrpc 2023-11-14 15:18:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:6980 https://access.redhat.com/errata/RHSA-2023:6980
Note You need to log in before you can comment on or make changes to this bug.