Bug 773220 (CVE-2021-20203, CVE-2021-20255, CVE-2021-20257, CVE-2021-3416)

Summary:	app-emulation/qemu: privileged guest user can cause host DoS (CVE-2021-{3416,20203,20255,20257})
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	CONFIRMED ---
Severity:	minor	CC:	ajak, sam, tamiko, virtualization, zlogene
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://bugs.launchpad.net/qemu/+bug/1913873
Whiteboard:	B3 [upstream]
Package list:		Runtime testing required:	---

Description John Helmert III gentoo-dev

2021-02-27 02:38:51 UTC

CVE-2021-20203:

An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU for versions up to v5.2.0. It may occur if a guest was to supply invalid values for rx/tx queue size or other NIC parameters. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario.

Looks like no fix yet.

Comment 1 John Helmert III gentoo-dev

2021-02-27 04:00:11 UTC

A few others triggerable by guests.

CVE-2021-20255: infinite recursion in eepro100 i8255x device emulator

Possible patch: https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html

CVE-2021-20257: infinite loop in e1000 NIC emulator.
Possible patch: https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg07428.html

CVE-2021-3416: infinite loops in various NIC emulators.
Possible patch: https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg07431.html

Comment 2 Matthias Maier gentoo-dev

2021-04-04 19:35:28 UTC

The proposed patches are quite nontrivial. We have to wait for upstream to assess the situation.

One patch landed upstream so far:

commit 3de46e6fc489c52c9431a8a832ad8170a7569bd8
Author: Jason Wang <jasowang@redhat.com>
Date:   Wed Feb 24 13:45:28 2021 +0800

    e1000: fail early for evil descriptor

Comment 3 NATTkA bot gentoo-dev

2021-07-29 17:23:48 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 4 NATTkA bot gentoo-dev

2021-07-29 17:32:13 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 5 NATTkA bot gentoo-dev

2021-07-29 17:40:06 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 6 NATTkA bot gentoo-dev

2021-07-29 17:48:17 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 7 NATTkA bot gentoo-dev

2021-07-29 18:04:13 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 8 NATTkA bot gentoo-dev

2021-07-29 18:12:31 UTC

Package list is empty or all packages have requested keywords.

Comment 9 John Helmert III gentoo-dev

2021-10-17 19:51:27 UTC

(In reply to John Helmert III from comment #0)
> CVE-2021-20203:
> 
> An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU
> for versions up to v5.2.0. It may occur if a guest was to supply invalid
> values for rx/tx queue size or other NIC parameters. A privileged guest user
> may use this flaw to crash the QEMU process on the host resulting in DoS
> scenario.
> 
> Looks like no fix yet.

Now being tracked at https://gitlab.com/qemu-project/qemu/-/issues/308.

(In reply to John Helmert III from comment #1)
> A few others triggerable by guests.
> 
> CVE-2021-20255: infinite recursion in eepro100 i8255x device emulator
> 
> Possible patch:
> https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html

Can't find where this was applied, nor an upstream issue.

> CVE-2021-20257: infinite loop in e1000 NIC emulator.
> Possible patch:
> https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg07428.html

In 6.0.0 onward.
 
> CVE-2021-3416: infinite loops in various NIC emulators.
> Possible patch:
> https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg07431.html

Series in 6.0.0 onward.

Comment 10 John Helmert III gentoo-dev

2022-01-09 21:00:30 UTC

(In reply to John Helmert III from comment #9)
> (In reply to John Helmert III from comment #0)
> > CVE-2021-20203:
> > 
> > An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU
> > for versions up to v5.2.0. It may occur if a guest was to supply invalid
> > values for rx/tx queue size or other NIC parameters. A privileged guest user
> > may use this flaw to crash the QEMU process on the host resulting in DoS
> > scenario.
> > 
> > Looks like no fix yet.
> 
> Now being tracked at https://gitlab.com/qemu-project/qemu/-/issues/308.

Patch in 6.2.0: https://gitlab.com/qemu-project/qemu/-/commit/d05dcd94aee88728facafb993c7280547eb4d645

> (In reply to John Helmert III from comment #1)
> > A few others triggerable by guests.
> > 
> > CVE-2021-20255: infinite recursion in eepro100 i8255x device emulator
> > 
> > Possible patch:
> > https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html
> 
> Can't find where this was applied, nor an upstream issue.
> 
> > CVE-2021-20257: infinite loop in e1000 NIC emulator.
> > Possible patch:
> > https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg07428.html
> 
> In 6.0.0 onward.
>  
> > CVE-2021-3416: infinite loops in various NIC emulators.
> > Possible patch:
> > https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg07431.html
> 
> Series in 6.0.0 onward.