Bug 1185981 - (CVE-2021-3546) VUL-0: CVE-2021-3546: qemu,kvm: QEMU: vhost-user-gpu: out-of-bounds write in virgl_cmd_get_capset()
(CVE-2021-3546)
VUL-0: CVE-2021-3546: qemu,kvm: QEMU: vhost-user-gpu: out-of-bounds write in ...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/283874/
CVSSv3.1:SUSE:CVE-2021-3546:6.5:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-05-12 14:45 UTC by Gianluca Gabrielli
Modified: 2021-07-14 01:19 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Gianluca Gabrielli 2021-05-12 14:45:28 UTC
CVE-2021-3546

An out-of-bounds write vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU. The flaw exists in virgl_cmd_get_capset() in contrib/vhost-user-gpu/virgl.c and could occur while processing the 'VIRTIO_GPU_CMD_GET_CAPSET' command. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service, or potentially execute arbitrary code on the host with the privileges of the QEMU process.

This issue is analogous to CVE-2016-10028 in virtio-gpu-3d:
https://bugzilla.suse.com/show_bug.cgi?id=1017084

Patch series:
https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg01155.html

OOB write in virgl_cmd_get_capset() in virgl.c:
https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg01154.html

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1958978
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3546
Comment 1 Gianluca Gabrielli 2021-05-12 15:13:58 UTC
Affected packages:

- SUSE:SLE-15-SP2:Update/qemu    4.2.1
- SUSE:SLE-15-SP3:Update/qemu    5.2.0
- openSUSE:Factory/qemu          6.0.0
Comment 2 José Ricardo Ziviani 2021-05-12 22:25:43 UTC
Hello,

These patches are not in upstream yet. I'll backport as soon as they reach upstream.

Thank you
Comment 3 Gianluca Gabrielli 2021-06-07 14:28:36 UTC
Hi Jose, here is the upstream patch [0].

[0] https://gitlab.com/qemu-project/qemu/-/commit/9f22893a.patch
Comment 4 José Ricardo Ziviani 2021-06-08 13:27:32 UTC
(In reply to Gianluca Gabrielli from comment #3)
> Hi Jose, here is the upstream patch [0].
> 
> [0] https://gitlab.com/qemu-project/qemu/-/commit/9f22893a.patch

Thank you Gianluca. Fix will be available in the next MU.
Comment 6 OBSbugzilla Bot 2021-06-15 13:10:06 UTC
This is an autogenerated message for OBS integration:
This bug (1185981) was mentioned in
https://build.opensuse.org/request/show/900159 Factory / qemu
Comment 8 OBSbugzilla Bot 2021-06-15 16:00:09 UTC
This is an autogenerated message for OBS integration:
This bug (1185981) was mentioned in
https://build.opensuse.org/request/show/900191 Factory / qemu
Comment 10 José Ricardo Ziviani 2021-06-28 23:05:01 UTC
Fixed

Thank you
Comment 11 Swamp Workflow Management 2021-06-30 19:18:54 UTC
SUSE-SU-2021:2212-1: An update that solves three vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 1184574,1185591,1185981,1185990,1186010,1187013
CVE References: CVE-2021-3544,CVE-2021-3545,CVE-2021-3546
JIRA References: 
Sources used:
SUSE MicroOS 5.0 (src):    qemu-4.2.1-11.22.1
SUSE Linux Enterprise Module for Server Applications 15-SP2 (src):    qemu-4.2.1-11.22.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    qemu-4.2.1-11.22.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2021-06-30 19:23:44 UTC
SUSE-SU-2021:2213-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1185981,1185990,1186010
CVE References: CVE-2021-3544,CVE-2021-3545,CVE-2021-3546
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP3 (src):    qemu-5.2.0-20.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    qemu-5.2.0-20.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2021-07-09 22:15:50 UTC
openSUSE-SU-2021:2213-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1185981,1185990,1186010
CVE References: CVE-2021-3544,CVE-2021-3545,CVE-2021-3546
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    qemu-5.2.0-20.1
Comment 14 Swamp Workflow Management 2021-07-14 01:19:16 UTC
openSUSE-SU-2021:1043-1: An update that solves 14 vulnerabilities, contains one feature and has 5 fixes is now available.

Category: security (moderate)
Bug References: 1149813,1163019,1172380,1175534,1176681,1178683,1178935,1179477,1179484,1182846,1182975,1183979,1184574,1185591,1185981,1185990,1186010,1186290,1187013
CVE References: CVE-2019-15890,CVE-2020-10756,CVE-2020-14364,CVE-2020-25085,CVE-2020-25707,CVE-2020-25723,CVE-2020-29129,CVE-2020-29130,CVE-2020-8608,CVE-2021-20257,CVE-2021-3419,CVE-2021-3544,CVE-2021-3545,CVE-2021-3546
JIRA References: SLE-17785
Sources used:
openSUSE Leap 15.2 (src):    qemu-4.2.1-lp152.9.16.2, qemu-linux-user-4.2.1-lp152.9.16.1, qemu-testsuite-4.2.1-lp152.9.16.7