Bug 1192525 – VUL-1: CVE-2021-3930: kvm,qemu: off-by-one error in mode_sense_page() in hw/scsi/scsi-disk.c

Bug 1192525 - (CVE-2021-3930) VUL-1: CVE-2021-3930: kvm,qemu: off-by-one error in mode_sense_page() in hw/scsi/scsi-disk.c

(CVE-2021-3930)
Summary:	VUL-1: CVE-2021-3930: kvm,qemu: off-by-one error in mode_sense_page() in hw/s...

Status:	NEW

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Minor
Target Milestone:	---
Assigned To:	Dario Faggioli
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/314342/
Whiteboard:	CVSSv3.1:SUSE:CVE-2021-3930:3.2:(AV:L...
Keywords:

Depends on:
Blocks:	1192526
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2021-11-09 16:27 UTC by Carlos López
Modified:	2022-04-20 16:23 UTC (History)
CC List:	5 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Carlos López 2021-11-09 16:27:57 UTC

rh#2020588

An off-by-one error was found in the SCSI Device emulation in QEMU. It could occur in hw/scsi/scsi-disk.c:mode_sense_page() while processing MODE SELECT commands if 'page' was set to MODE_PAGE_ALLS (0x3f). Specifically, 'page' was used to index the stack-allocated 'mode_sense_valid' buffer (size=0x3f), causing an off-by-one error when trying to access the last element. A malicious guest could use this flaw to potentially crash QEMU, resulting in a denial of service condition.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2020588
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3930

Comment 1 Carlos López 2021-11-09 16:36:57 UTC

Affected codestreams for qemu:
 - SUSE:SLE-12-SP2:Update
 - SUSE:SLE-12-SP3:Update
 - SUSE:SLE-12-SP4:Update
 - SUSE:SLE-12-SP5:Update	
 - SUSE:SLE-15:Update
 - SUSE:SLE-15-SP1:Update
 - SUSE:SLE-15-SP2:Update
 - SUSE:SLE-15-SP3:Update

 Affected codestreams for kvm:
 - SUSE:SLE-11-SP3:Update
 - SUSE:SLE-11-SP4:Update

Comment 2 Carlos López 2021-11-09 16:46:21 UTC

openSUSE:Factory also affected for qemu.

Upstream patch:
https://gitlab.com/qemu-project/qemu/-/commit/b3af7fdf9cc537f8f0dd3e2423d83f5c99a457e8

Comment 3 Liang Yan 2022-01-08 13:55:20 UTC

No need to backport to 12SP2 since its LTSS ended on 31 Mar 2021

Comment 4 Gianluca Gabrielli 2022-01-31 10:24:02 UTC

Hi Liang, is there any update on that?

Comment 6 Dario Faggioli 2022-02-07 18:29:43 UTC

(In reply to Carlos López from comment #1)
> Affected codestreams for qemu:
>  - SUSE:SLE-12-SP2:Update
>  - SUSE:SLE-12-SP3:Update
>  - SUSE:SLE-12-SP4:Update
>  - SUSE:SLE-12-SP5:Update	
>  - SUSE:SLE-15:Update
>  - SUSE:SLE-15-SP1:Update
>  - SUSE:SLE-15-SP2:Update
>  - SUSE:SLE-15-SP3:Update
> 
>  Affected codestreams for kvm:
>  - SUSE:SLE-11-SP3:Update
>  - SUSE:SLE-11-SP4:Update
>
- 15-SP3:
  https://build.suse.de/package/show/Devel:Virt:SLE-15-SP3/qemu
  https://build.suse.de/request/show/264265
- 12-SP5:
  https://build.suse.de/package/show/Devel:Virt:SLE-12-SP5/qemu
  https://build.suse.de/request/show/264264

I have a few more backports to do, then I'll create the MR-s

Comment 7 Dario Faggioli 2022-03-09 18:23:02 UTC

(In reply to Dario Faggioli from comment #6)
> (In reply to Carlos López from comment #1)
> > Affected codestreams for qemu:
> >  - SUSE:SLE-12-SP2:Update
> >  - SUSE:SLE-12-SP3:Update
> >  - SUSE:SLE-12-SP4:Update
> >  - SUSE:SLE-12-SP5:Update	
> >  - SUSE:SLE-15:Update
> >  - SUSE:SLE-15-SP1:Update
> >  - SUSE:SLE-15-SP2:Update
> >  - SUSE:SLE-15-SP3:Update
> > 
> >  Affected codestreams for kvm:
> >  - SUSE:SLE-11-SP3:Update
> >  - SUSE:SLE-11-SP4:Update
> >
So, considering that 15-SP3 and 12-SP5 are done, and considering the support status of the various codestreams and the CVSS score, I'd say that we're currently missing:

- SUSE:SLE-12-SP3:Update
- SUSE:SLE-15-SP2:Update

Can you confirm that this is the case? Thanks!

Comment 8 Gianluca Gabrielli 2022-03-10 09:21:45 UTC

Close enough, I see the following ones shipping to regular supported prods:
 - SUSE:SLE-12-SP3:Update/qemu
 - SUSE:SLE-15-SP1:Update/qemu
 - SUSE:SLE-15-SP2:Update/qemu
 - SUSE:SLE-11-SP3:Update/kvm

Comment 9 Gianluca Gabrielli 2022-03-10 09:26:33 UTC

(In reply to Gianluca Gabrielli from comment #8)
> Close enough, I see the following ones shipping to regular supported prods:
>  - SUSE:SLE-12-SP3:Update/qemu
>  - SUSE:SLE-15-SP1:Update/qemu
>  - SUSE:SLE-15-SP2:Update/qemu
>  - SUSE:SLE-11-SP3:Update/kvm

As you correctly reported at bcs#1181361#c20, SUSE:SLE-15-SP1:Update/qemu can be omitted.

Comment 10 Carlos López 2022-03-10 09:42:33 UTC

(In reply to Gianluca Gabrielli from comment #8)
> Close enough, I see the following ones shipping to regular supported prods:
>  - SUSE:SLE-12-SP3:Update/qemu
>  - SUSE:SLE-15-SP1:Update/qemu
>  - SUSE:SLE-15-SP2:Update/qemu
>  - SUSE:SLE-11-SP3:Update/kvm
Exactly.

@Dario you can use SMELT to check which codestreams are used in enabled products (disabled == LTSS):
https://smelt.suse.de/maintained/?q=qemu
https://smelt.suse.de/maintained/?q=kvm

SLE-11-SP1:Update/kvm and SLE-11:Update/qemu are not needed because those codestreams are going EOL by the end of this month.

Comment 12 Swamp Workflow Management 2022-03-22 14:16:52 UTC

openSUSE-SU-2022:0930-1: An update that solves two vulnerabilities and has 6 fixes is now available.

Category: security (important)
Bug References: 1178049,1192525,1193364,1193545,1194938,1195161,1196087,1196737
CVE References: CVE-2021-3930,CVE-2022-0358
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    qemu-5.2.0-150300.112.4, qemu-linux-user-5.2.0-150300.112.3, qemu-testsuite-5.2.0-150300.112.7

Comment 13 Swamp Workflow Management 2022-03-22 14:20:42 UTC

SUSE-SU-2022:0930-1: An update that solves two vulnerabilities and has 6 fixes is now available.

Category: security (important)
Bug References: 1178049,1192525,1193364,1193545,1194938,1195161,1196087,1196737
CVE References: CVE-2021-3930,CVE-2022-0358
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP3 (src):    qemu-5.2.0-150300.112.4
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    qemu-5.2.0-150300.112.4
SUSE Linux Enterprise Micro 5.1 (src):    qemu-5.2.0-150300.112.4

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 14 Swamp Workflow Management 2022-04-11 19:19:02 UTC

SUSE-SU-2022:1151-1: An update that solves two vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 1181361,1187529,1192463,1192525,1196737
CVE References: CVE-2021-20196,CVE-2021-3930
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP5 (src):    qemu-3.1.1.1-63.4

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 15 Swamp Workflow Management 2022-04-20 16:23:29 UTC

SUSE-SU-2022:0930-2: An update that solves two vulnerabilities and has 6 fixes is now available.

Category: security (important)
Bug References: 1178049,1192525,1193364,1193545,1194938,1195161,1196087,1196737
CVE References: CVE-2021-3930,CVE-2022-0358
JIRA References: 
Sources used:
SUSE Linux Enterprise Micro 5.2 (src):    qemu-5.2.0-150300.112.4

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.