Bugzilla – Bug 1193880
VUL-0: CVE-2021-3929: kvm, qemu: DMA reentrancy issue leads to use-after-free in nvme
Last modified: 2022-03-31 16:35:05 UTC
rh#2020298 A DMA reentrancy issue was found in the NVM Express Controller emulation in QEMU. Functions dma_buf_write() or dma_buf_read() in hw/nvme/ctrl.c:nvme_tx() can be called without checking if the destination region overlaps with device's MMIO. This flaw is similar to CVE-2021-3750 and just like CVE-2021-3750, when the reentrancy write triggers the reset function nvme_ctrl_reset(), data structs will be freed leading to a use-after-free issue. This is easier to exploit, though, because the attacker can trigger the free operations precisely and the freed object contains a timer pointer that can be leveraged by the attacker. A malicious guest could use this issue to crash QEMU, resulting in a denial of service condition, or potentially execute arbitrary code within the context of the QEMU process on the host. References: https://bugzilla.redhat.com/show_bug.cgi?id=2020298 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3929 https://gitlab.com/qemu-project/qemu/-/issues/782
commit: 736b01642d85be832385063f278fe7cd4ffb5221
Thanks Li for having kept an eye on this. Let me investigate the issue to give you which codestreams would be affected.
I got an ASan crash on the following codestreams: - SUSE:SLE-15-SP3:Update v5.2.0 - SUSE:SLE-15-SP4:Update v6.2.0 - SUSE:SLE-15-SP4:GA v6.2.0 - openSUSE:Factory v6.2.0 - openSUSE:Leap:15.3 v5.2.0 - openSUSE:Leap:15.3:Update v5.2.0 - openSUSE:Leap:15.4 v6.2.0 - openSUSE:Leap:15.4:Update v6.2.0
Thanks Thomas for clarification. I will back port it to the versions then.