Bugzilla – Bug 1186473
VUL-1: CVE-2021-3416: qemu,kvm: net: infinite loop in loopback mode may lead to stack overflow
Last modified: 2022-02-21 15:45:16 UTC
rh#1932827 A potential stack overflow via infinite loop issue was found in various NIC emulators of QEMU. The said issue occurs in loopback mode of a NIC wherein reentrant DMA checks get bypassed. A guest user/process may use this flaw to consume cpu cycles or crash the QEMU process on the host resulting in DoS scenario. Upstream patch: --------------- -> https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg07431.html References: https://bugzilla.redhat.com/show_bug.cgi?id=1932827 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3416 https://www.openwall.com/lists/oss-security/2021/02/26/1 http://seclists.org/oss-sec/2021/q1/180 https://access.redhat.com/security/cve/CVE-2021-3416 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3416 https://lists.debian.org/debian-lts-announce/2021/04/msg00009.html https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg07484.html https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg07431.html
https://git.qemu.org/?p=qemu.git;a=commit;h=705df5466c98f3efdd2b68d3b31dad86858acad7 https://git.qemu.org/?p=qemu.git;a=commit;h=1caff0340f49c93d535c6558a5138d20d475315c https://git.qemu.org/?p=qemu.git;a=commit;h=331d2ac9ea307c990dc86e6493e8f0c48d14bb33 https://git.qemu.org/?p=qemu.git;a=commit;h=26194a58f4eb83c5bdf4061a1628508084450ba1 https://git.qemu.org/?p=qemu.git;a=commit;h=8c92060d3c0248bd4d515719a35922cd2391b9b4 https://git.qemu.org/?p=qemu.git;a=commit;h=8c552542b81e56ff532dd27ec6e5328954bdda73 https://git.qemu.org/?p=qemu.git;a=commit;h=5311fb805a4403bba024e83886fa0e7572265de4 https://git.qemu.org/?p=qemu.git;a=commit;h=99ccfaa1edafd79f7a3a0ff7b58ae4da7c514928 https://git.qemu.org/?p=qemu.git;a=commit;h=e73adfbeec9d4e008630c814759052ed945c3fed https://git.qemu.org/?p=qemu.git;a=commit;h=37cee01784ff0df13e5209517e1b3594a5e792d1
@Bruce: We revised this issue and CVE-2021-3419/bsc#1182968. Our assessment is that there a patches missing form the patchset. Therefor I opened this bug to track the issue correctly. Assigning this to you because you handled the other issue.
assigning to kvm-bugs instead
SUSE-SU-2021:14772-1: An update that fixes 8 vulnerabilities is now available. Category: security (important) Bug References: 1173612,1174386,1178683,1180523,1181933,1186473,1187364,1187367 CVE References: CVE-2020-11947,CVE-2020-15469,CVE-2020-15863,CVE-2020-25707,CVE-2021-20221,CVE-2021-3416,CVE-2021-3592,CVE-2021-3594 JIRA References: Sources used: SUSE Linux Enterprise Server 11-SP4-LTSS (src): kvm-1.4.2-60.37.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:14774-1: An update that solves 8 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1031692,1173612,1174386,1178683,1180523,1181933,1186473,1187364,1187367 CVE References: CVE-2020-11947,CVE-2020-15469,CVE-2020-15863,CVE-2020-25707,CVE-2021-20221,CVE-2021-3416,CVE-2021-3592,CVE-2021-3594 JIRA References: Sources used: SUSE Linux Enterprise Point of Sale 11-SP3 (src): kvm-1.4.2-53.41.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Hello Robert, As far as I can see, everything is in there: [10] commit df308ce8d01f2368025ca2e1fb346ef23459767f Author: Alexander Bulekov <alxndr@bu.edu> Date: Mon Mar 1 14:35:30 2021 -0500 lan9118: switch to use qemu_receive_packet() for loopback Git-commit: 37cee01784ff0df13e5209517e1b3594a5e792d1 This patch switches to use qemu_receive_packet() which can detect reentrancy and return early. This is intended to address CVE-2021-3416. Cc: Prasad J Pandit <ppandit@redhat.com> Cc: qemu-stable@nongnu.org Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Signed-off-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Bruce Rogers <brogers@suse.com> [9] commit b9860a8a53e43218ae4c814dfa99ef0832ffd85e Author: Alexander Bulekov <alxndr@bu.edu> Date: Mon Mar 1 14:33:43 2021 -0500 cadence_gem: switch to use qemu_receive_packet() for loopback Git-commit: e73adfbeec9d4e008630c814759052ed945c3fed This patch switches to use qemu_receive_packet() which can detect reentrancy and return early. This is intended to address CVE-2021-3416. Cc: Prasad J Pandit <ppandit@redhat.com> Cc: qemu-stable@nongnu.org Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Signed-off-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Bruce Rogers <brogers@suse.com> [8] commit 2f808a1d9442e63829487d96e19394508d24d65b Author: Alexander Bulekov <alxndr@bu.edu> Date: Mon Mar 1 10:33:34 2021 -0500 pcnet: switch to use qemu_receive_packet() for loopback Git-commit: 99ccfaa1edafd79f7a3a0ff7b58ae4da7c514928 This patch switches to use qemu_receive_packet() which can detect reentrancy and return early. This is intended to address CVE-2021-3416. Cc: Prasad J Pandit <ppandit@redhat.com> Cc: qemu-stable@nongnu.org Buglink: https://bugs.launchpad.net/qemu/+bug/1917085 Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Signed-off-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Bruce Rogers <brogers@suse.com> [7] commit 595becb10fbf8879055837958858950a3391356f Author: Alexander Bulekov <alxndr@bu.edu> Date: Fri Feb 26 13:47:53 2021 -0500 rtl8139: switch to use qemu_receive_packet() for loopback Git-commit: 5311fb805a4403bba024e83886fa0e7572265de4 References: bsc#1182968, CVE-2021-3416 This patch switches to use qemu_receive_packet() which can detect reentrancy and return early. This is intended to address CVE-2021-3416. Cc: Prasad J Pandit <ppandit@redhat.com> Cc: qemu-stable@nongnu.org Buglink: https://bugs.launchpad.net/qemu/+bug/1910826 Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Signed-off-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Bruce Rogers <brogers@suse.com> [6] commit dff4c7ce6a81fc5ef637c06fa5ae33bf7dab026e Author: Jason Wang <jasowang@redhat.com> Date: Wed Feb 24 13:27:52 2021 +0800 tx_pkt: switch to use qemu_receive_packet_iov() for loopback Git-commit: 8c552542b81e56ff532dd27ec6e5328954bdda73 This patch switches to use qemu_receive_receive_iov() which can detect reentrancy and return early. This is intended to address CVE-2021-3416. Cc: Prasad J Pandit <ppandit@redhat.com> Cc: qemu-stable@nongnu.org Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Bruce Rogers <brogers@suse.com> [5] commit 233e0087a0440a62691a15230a1e69082d516b55 Author: Jason Wang <jasowang@redhat.com> Date: Wed Feb 24 13:14:35 2021 +0800 sungem: switch to use qemu_receive_packet() for loopback Git-commit: 8c92060d3c0248bd4d515719a35922cd2391b9b4 This patch switches to use qemu_receive_packet() which can detect reentrancy and return early. This is intended to address CVE-2021-3416. Cc: Prasad J Pandit <ppandit@redhat.com> Cc: qemu-stable@nongnu.org Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Signed-off-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Bruce Rogers <brogers@suse.com> [4] commit 881a102c226db2ca33550218dcfc42c951e24245 Author: Jason Wang <jasowang@redhat.com> Date: Wed Feb 24 13:00:01 2021 +0800 msf2-mac: switch to use qemu_receive_packet() for loopback Git-commit: 26194a58f4eb83c5bdf4061a1628508084450ba1 This patch switches to use qemu_receive_packet() which can detect reentrancy and return early. This is intended to address CVE-2021-3416. Cc: Prasad J Pandit <ppandit@redhat.com> Cc: qemu-stable@nongnu.org Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Bruce Rogers <brogers@suse.com> [3] commit 67f1a2fb7d147f4d862f6fadb026046e1e2c226e Author: Jason Wang <jasowang@redhat.com> Date: Wed Feb 24 12:57:40 2021 +0800 dp8393x: switch to use qemu_receive_packet() for loopback packet Git-commit: 331d2ac9ea307c990dc86e6493e8f0c48d14bb33 This patch switches to use qemu_receive_packet() which can detect reentrancy and return early. This is intended to address CVE-2021-3416. Cc: Prasad J Pandit <ppandit@redhat.com> Cc: qemu-stable@nongnu.org Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com Signed-off-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Bruce Rogers <brogers@suse.com> [2] commit 8acfc94869ebdcb148bf3905ce795e0a648a8caf Author: Jason Wang <jasowang@redhat.com> Date: Wed Feb 24 12:13:22 2021 +0800 e1000: switch to use qemu_receive_packet() for loopback Git-commit: 1caff0340f49c93d535c6558a5138d20d475315c This patch switches to use qemu_receive_packet() which can detect reentrancy and return early. This is intended to address CVE-2021-3416. Cc: Prasad J Pandit <ppandit@redhat.com> Cc: qemu-stable@nongnu.org Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Bruce Rogers <brogers@suse.com> [1] commit 4dfa86c6720430b27fb410341069eda1b83b5051 Author: Jason Wang <jasowang@redhat.com> Date: Wed Feb 24 11:44:36 2021 +0800 net: introduce qemu_receive_packet() Git-commit: 705df5466c98f3efdd2b68d3b31dad86858acad7 References: bsc#1182968, CVE-2021-3416 Some NIC supports loopback mode and this is done by calling nc->info->receive() directly which in fact suppresses the effort of reentrancy check that is done in qemu_net_queue_send(). Unfortunately we can't use qemu_net_queue_send() here since for loopback there's no sender as peer, so this patch introduce a qemu_receive_packet() which is used for implementing loopback mode for a NIC with this check. NIC that supports loopback mode will be converted to this helper. This is intended to address CVE-2021-3416. Cc: Prasad J Pandit <ppandit@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Cc: qemu-stable@nongnu.org Signed-off-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Bruce Rogers <brogers@suse.com>
I compared with the list from comment #1 and it really seems correct. All patches are there, in the same order. I'm returning this patch back to security team for confirmation. Thank you!
*** Bug 1182968 has been marked as a duplicate of this bug. ***