Bug 1193880 - (CVE-2021-3929) VUL-0: CVE-2021-3929: kvm, qemu: DMA reentrancy issue leads to use-after-free in nvme
(CVE-2021-3929)
VUL-0: CVE-2021-3929: kvm, qemu: DMA reentrancy issue leads to use-after-free...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Li Zhang
Security Team bot
https://smash.suse.de/issue/317812/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-12-17 16:58 UTC by Thomas Leroy
Modified: 2022-03-31 16:35 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Leroy 2021-12-17 16:58:02 UTC
rh#2020298

A DMA reentrancy issue was found in the NVM Express Controller emulation in QEMU. Functions dma_buf_write() or dma_buf_read() in hw/nvme/ctrl.c:nvme_tx() can be called without checking if the destination region overlaps with device's MMIO. This flaw is similar to CVE-2021-3750 and just like CVE-2021-3750, when the reentrancy write triggers the reset function nvme_ctrl_reset(), data structs will be freed leading to a use-after-free issue. This is easier to exploit, though, because the attacker can trigger the free operations precisely and the freed object contains a timer pointer that can be leveraged by the attacker. A malicious guest could use this issue to crash QEMU, resulting in a denial of service condition, or potentially execute arbitrary code within the context of the QEMU process on the host.


References:
https://bugzilla.redhat.com/show_bug.cgi?id=2020298
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3929
https://gitlab.com/qemu-project/qemu/-/issues/782
Comment 1 Li Zhang 2022-03-15 08:22:31 UTC
commit: 736b01642d85be832385063f278fe7cd4ffb5221
Comment 2 Thomas Leroy 2022-03-15 09:03:22 UTC
Thanks Li for having kept an eye on this. Let me investigate the issue to give you which codestreams would be affected.
Comment 3 Thomas Leroy 2022-03-16 14:26:24 UTC
I got an ASan crash on the following codestreams:
- SUSE:SLE-15-SP3:Update             v5.2.0
- SUSE:SLE-15-SP4:Update             v6.2.0
- SUSE:SLE-15-SP4:GA                 v6.2.0
- openSUSE:Factory                   v6.2.0
- openSUSE:Leap:15.3                 v5.2.0
- openSUSE:Leap:15.3:Update          v5.2.0
- openSUSE:Leap:15.4                 v6.2.0
- openSUSE:Leap:15.4:Update          v6.2.0
Comment 4 Li Zhang 2022-03-16 14:49:48 UTC
Thanks Thomas for clarification. I will back port it to the versions then.