Bug 1186473 (CVE-2021-3416)

Summary: VUL-1: CVE-2021-3416: qemu,kvm: net: infinite loop in loopback mode may lead to stack overflow
Product: [Novell Products] SUSE Security Incidents Reporter: Robert Frohl <rfrohl>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P4 - Low CC: carlos.lopez, jose.ziviani, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/278592/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-3416:3.2:(AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Robert Frohl 2021-05-26 15:34:17 UTC
rh#1932827

A potential stack overflow via infinite loop issue was found in various NIC emulators of QEMU. The said issue occurs in loopback mode of a NIC wherein reentrant DMA checks get bypassed. A guest user/process may use this flaw to consume cpu cycles or crash the QEMU process on the host resulting in DoS scenario.

Upstream patch:
---------------
  -> https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg07431.html

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1932827
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3416
https://www.openwall.com/lists/oss-security/2021/02/26/1
http://seclists.org/oss-sec/2021/q1/180
https://access.redhat.com/security/cve/CVE-2021-3416
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3416
https://lists.debian.org/debian-lts-announce/2021/04/msg00009.html
https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg07484.html
https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg07431.html
Comment 2 Robert Frohl 2021-05-27 08:22:59 UTC
@Bruce: We revised this issue and CVE-2021-3419/bsc#1182968. Our assessment is that there a patches missing form the patchset. Therefor I opened this bug to track the issue correctly.

Assigning this to you because you handled the other issue.
Comment 3 Robert Frohl 2021-05-27 08:50:31 UTC
assigning to kvm-bugs instead
Comment 4 Swamp Workflow Management 2021-08-03 16:22:05 UTC
SUSE-SU-2021:14772-1: An update that fixes 8 vulnerabilities is now available.

Category: security (important)
Bug References: 1173612,1174386,1178683,1180523,1181933,1186473,1187364,1187367
CVE References: CVE-2020-11947,CVE-2020-15469,CVE-2020-15863,CVE-2020-25707,CVE-2021-20221,CVE-2021-3416,CVE-2021-3592,CVE-2021-3594
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    kvm-1.4.2-60.37.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Swamp Workflow Management 2021-08-06 13:34:48 UTC
SUSE-SU-2021:14774-1: An update that solves 8 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1031692,1173612,1174386,1178683,1180523,1181933,1186473,1187364,1187367
CVE References: CVE-2020-11947,CVE-2020-15469,CVE-2020-15863,CVE-2020-25707,CVE-2021-20221,CVE-2021-3416,CVE-2021-3592,CVE-2021-3594
JIRA References: 
Sources used:
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    kvm-1.4.2-53.41.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 José Ricardo Ziviani 2021-09-29 20:04:17 UTC
Hello Robert,

As far as I can see, everything is in there:


[10]
commit df308ce8d01f2368025ca2e1fb346ef23459767f
Author: Alexander Bulekov <alxndr@bu.edu>
Date:   Mon Mar 1 14:35:30 2021 -0500

    lan9118: switch to use qemu_receive_packet() for loopback
    
    Git-commit: 37cee01784ff0df13e5209517e1b3594a5e792d1
    
    This patch switches to use qemu_receive_packet() which can detect
    reentrancy and return early.
    
    This is intended to address CVE-2021-3416.
    
    Cc: Prasad J Pandit <ppandit@redhat.com>
    Cc: qemu-stable@nongnu.org
    Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
    Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
    Signed-off-by: Jason Wang <jasowang@redhat.com>
    Signed-off-by: Bruce Rogers <brogers@suse.com>

[9]
commit b9860a8a53e43218ae4c814dfa99ef0832ffd85e
Author: Alexander Bulekov <alxndr@bu.edu>
Date:   Mon Mar 1 14:33:43 2021 -0500

    cadence_gem: switch to use qemu_receive_packet() for loopback
    
    Git-commit: e73adfbeec9d4e008630c814759052ed945c3fed
    
    This patch switches to use qemu_receive_packet() which can detect
    reentrancy and return early.
    
    This is intended to address CVE-2021-3416.
    
    Cc: Prasad J Pandit <ppandit@redhat.com>
    Cc: qemu-stable@nongnu.org
    Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
    Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
    Signed-off-by: Jason Wang <jasowang@redhat.com>
    Signed-off-by: Bruce Rogers <brogers@suse.com>


[8]
commit 2f808a1d9442e63829487d96e19394508d24d65b
Author: Alexander Bulekov <alxndr@bu.edu>
Date:   Mon Mar 1 10:33:34 2021 -0500

    pcnet: switch to use qemu_receive_packet() for loopback
    
    Git-commit: 99ccfaa1edafd79f7a3a0ff7b58ae4da7c514928
    
    This patch switches to use qemu_receive_packet() which can detect
    reentrancy and return early.
    
    This is intended to address CVE-2021-3416.
    
    Cc: Prasad J Pandit <ppandit@redhat.com>
    Cc: qemu-stable@nongnu.org
    Buglink: https://bugs.launchpad.net/qemu/+bug/1917085
    Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
    Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
    Signed-off-by: Jason Wang <jasowang@redhat.com>
    Signed-off-by: Bruce Rogers <brogers@suse.com>

[7]
commit 595becb10fbf8879055837958858950a3391356f
Author: Alexander Bulekov <alxndr@bu.edu>
Date:   Fri Feb 26 13:47:53 2021 -0500

    rtl8139: switch to use qemu_receive_packet() for loopback
    
    Git-commit: 5311fb805a4403bba024e83886fa0e7572265de4
    References: bsc#1182968, CVE-2021-3416
    
    This patch switches to use qemu_receive_packet() which can detect
    reentrancy and return early.
    
    This is intended to address CVE-2021-3416.
    
    Cc: Prasad J Pandit <ppandit@redhat.com>
    Cc: qemu-stable@nongnu.org
    Buglink: https://bugs.launchpad.net/qemu/+bug/1910826
    Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
    Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
    Signed-off-by: Jason Wang <jasowang@redhat.com>
    Signed-off-by: Bruce Rogers <brogers@suse.com>

[6]
commit dff4c7ce6a81fc5ef637c06fa5ae33bf7dab026e
Author: Jason Wang <jasowang@redhat.com>
Date:   Wed Feb 24 13:27:52 2021 +0800

    tx_pkt: switch to use qemu_receive_packet_iov() for loopback
    
    Git-commit: 8c552542b81e56ff532dd27ec6e5328954bdda73
    
    This patch switches to use qemu_receive_receive_iov() which can detect
    reentrancy and return early.
    
    This is intended to address CVE-2021-3416.
    
    Cc: Prasad J Pandit <ppandit@redhat.com>
    Cc: qemu-stable@nongnu.org
    Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
    Signed-off-by: Jason Wang <jasowang@redhat.com>
    Signed-off-by: Bruce Rogers <brogers@suse.com>

[5]
commit 233e0087a0440a62691a15230a1e69082d516b55
Author: Jason Wang <jasowang@redhat.com>
Date:   Wed Feb 24 13:14:35 2021 +0800

    sungem: switch to use qemu_receive_packet() for loopback
    
    Git-commit: 8c92060d3c0248bd4d515719a35922cd2391b9b4
    
    This patch switches to use qemu_receive_packet() which can detect
    reentrancy and return early.
    
    This is intended to address CVE-2021-3416.
    
    Cc: Prasad J Pandit <ppandit@redhat.com>
    Cc: qemu-stable@nongnu.org
    Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
    Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
    Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
    Signed-off-by: Jason Wang <jasowang@redhat.com>
    Signed-off-by: Bruce Rogers <brogers@suse.com>

[4]
commit 881a102c226db2ca33550218dcfc42c951e24245
Author: Jason Wang <jasowang@redhat.com>
Date:   Wed Feb 24 13:00:01 2021 +0800

    msf2-mac: switch to use qemu_receive_packet() for loopback
    
    Git-commit: 26194a58f4eb83c5bdf4061a1628508084450ba1
    
    This patch switches to use qemu_receive_packet() which can detect
    reentrancy and return early.
    
    This is intended to address CVE-2021-3416.
    
    Cc: Prasad J Pandit <ppandit@redhat.com>
    Cc: qemu-stable@nongnu.org
    Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
    Signed-off-by: Jason Wang <jasowang@redhat.com>
    Signed-off-by: Bruce Rogers <brogers@suse.com>

[3]
commit 67f1a2fb7d147f4d862f6fadb026046e1e2c226e
Author: Jason Wang <jasowang@redhat.com>
Date:   Wed Feb 24 12:57:40 2021 +0800

    dp8393x: switch to use qemu_receive_packet() for loopback packet
    
    Git-commit: 331d2ac9ea307c990dc86e6493e8f0c48d14bb33
    
    This patch switches to use qemu_receive_packet() which can detect
    reentrancy and return early.
    
    This is intended to address CVE-2021-3416.
    
    Cc: Prasad J Pandit <ppandit@redhat.com>
    Cc: qemu-stable@nongnu.org
    Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
    Signed-off-by: Jason Wang <jasowang@redhat.com>
    Signed-off-by: Bruce Rogers <brogers@suse.com>

[2]
commit 8acfc94869ebdcb148bf3905ce795e0a648a8caf
Author: Jason Wang <jasowang@redhat.com>
Date:   Wed Feb 24 12:13:22 2021 +0800

    e1000: switch to use qemu_receive_packet() for loopback
    
    Git-commit: 1caff0340f49c93d535c6558a5138d20d475315c
    
    This patch switches to use qemu_receive_packet() which can detect
    reentrancy and return early.
    
    This is intended to address CVE-2021-3416.
    
    Cc: Prasad J Pandit <ppandit@redhat.com>
    Cc: qemu-stable@nongnu.org
    Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
    Signed-off-by: Jason Wang <jasowang@redhat.com>
    Signed-off-by: Bruce Rogers <brogers@suse.com>

[1]
commit 4dfa86c6720430b27fb410341069eda1b83b5051
Author: Jason Wang <jasowang@redhat.com>
Date:   Wed Feb 24 11:44:36 2021 +0800

    net: introduce qemu_receive_packet()
    
    Git-commit: 705df5466c98f3efdd2b68d3b31dad86858acad7
    References: bsc#1182968, CVE-2021-3416
    Some NIC supports loopback mode and this is done by calling
    nc->info->receive() directly which in fact suppresses the effort of
    reentrancy check that is done in qemu_net_queue_send().
    
    Unfortunately we can't use qemu_net_queue_send() here since for
    loopback there's no sender as peer, so this patch introduce a
    qemu_receive_packet() which is used for implementing loopback mode
    for a NIC with this check.
    
    NIC that supports loopback mode will be converted to this helper.
    
    This is intended to address CVE-2021-3416.
    
    Cc: Prasad J Pandit <ppandit@redhat.com>
    Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
    Cc: qemu-stable@nongnu.org
    Signed-off-by: Jason Wang <jasowang@redhat.com>
    Signed-off-by: Bruce Rogers <brogers@suse.com>
Comment 7 José Ricardo Ziviani 2021-09-29 20:07:10 UTC
I compared with the list from comment #1 and it really seems correct. All patches are there, in the same order.

I'm returning this patch back to security team for confirmation.

Thank you!
Comment 8 Gianluca Gabrielli 2022-02-21 15:45:16 UTC
*** Bug 1182968 has been marked as a duplicate of this bug. ***
Comment 9 Carlos López 2022-09-20 11:23:14 UTC
Done, closing.