Bugzilla – Bug 1193880
VUL-0: CVE-2021-3929: kvm, qemu: DMA reentrancy issue leads to use-after-free in nvme
Last modified: 2022-03-31 16:35:05 UTC
A DMA reentrancy issue was found in the NVM Express Controller emulation in QEMU. Functions dma_buf_write() or dma_buf_read() in hw/nvme/ctrl.c:nvme_tx() can be called without checking if the destination region overlaps with device's MMIO. This flaw is similar to CVE-2021-3750 and just like CVE-2021-3750, when the reentrancy write triggers the reset function nvme_ctrl_reset(), data structs will be freed leading to a use-after-free issue. This is easier to exploit, though, because the attacker can trigger the free operations precisely and the freed object contains a timer pointer that can be leveraged by the attacker. A malicious guest could use this issue to crash QEMU, resulting in a denial of service condition, or potentially execute arbitrary code within the context of the QEMU process on the host.
Thanks Li for having kept an eye on this. Let me investigate the issue to give you which codestreams would be affected.
I got an ASan crash on the following codestreams:
- SUSE:SLE-15-SP3:Update v5.2.0
- SUSE:SLE-15-SP4:Update v6.2.0
- SUSE:SLE-15-SP4:GA v6.2.0
- openSUSE:Factory v6.2.0
- openSUSE:Leap:15.3 v5.2.0
- openSUSE:Leap:15.3:Update v5.2.0
- openSUSE:Leap:15.4 v6.2.0
- openSUSE:Leap:15.4:Update v6.2.0
Thanks Thomas for clarification. I will back port it to the versions then.