Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 773220 (CVE-2021-20203, CVE-2021-20257, CVE-2021-3416)

Summary: <app-emulation/qemu-6.2.0: privileged guest user can cause host DoS (CVE-2021-{3416,20203,20255,20257})
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: ajak, sam, tamiko, virtualization, zlogene
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugs.launchpad.net/qemu/+bug/1913873
Whiteboard: B3 [glsa+]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-02-27 02:38:51 UTC
CVE-2021-20203:

An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU for versions up to v5.2.0. It may occur if a guest was to supply invalid values for rx/tx queue size or other NIC parameters. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario.

Looks like no fix yet.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-02-27 04:00:11 UTC
A few others triggerable by guests.

CVE-2021-20255: infinite recursion in eepro100 i8255x device emulator

Possible patch: https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html

CVE-2021-20257: infinite loop in e1000 NIC emulator.
Possible patch: https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg07428.html

CVE-2021-3416: infinite loops in various NIC emulators.
Possible patch: https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg07431.html
Comment 2 Matthias Maier gentoo-dev 2021-04-04 19:35:28 UTC
The proposed patches are quite nontrivial. We have to wait for upstream to assess the situation.

One patch landed upstream so far:

commit 3de46e6fc489c52c9431a8a832ad8170a7569bd8
Author: Jason Wang <jasowang@redhat.com>
Date:   Wed Feb 24 13:45:28 2021 +0800

    e1000: fail early for evil descriptor
Comment 3 NATTkA bot gentoo-dev 2021-07-29 17:23:48 UTC Comment hidden (obsolete)
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:32:13 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 17:40:06 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 17:48:17 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev 2021-07-29 18:04:13 UTC Comment hidden (obsolete)
Comment 8 NATTkA bot gentoo-dev 2021-07-29 18:12:31 UTC
Package list is empty or all packages have requested keywords.
Comment 9 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-10-17 19:51:27 UTC
(In reply to John Helmert III from comment #0)
> CVE-2021-20203:
> 
> An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU
> for versions up to v5.2.0. It may occur if a guest was to supply invalid
> values for rx/tx queue size or other NIC parameters. A privileged guest user
> may use this flaw to crash the QEMU process on the host resulting in DoS
> scenario.
> 
> Looks like no fix yet.

Now being tracked at https://gitlab.com/qemu-project/qemu/-/issues/308.

(In reply to John Helmert III from comment #1)
> A few others triggerable by guests.
> 
> CVE-2021-20255: infinite recursion in eepro100 i8255x device emulator
> 
> Possible patch:
> https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html

Can't find where this was applied, nor an upstream issue.

> CVE-2021-20257: infinite loop in e1000 NIC emulator.
> Possible patch:
> https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg07428.html

In 6.0.0 onward.
 
> CVE-2021-3416: infinite loops in various NIC emulators.
> Possible patch:
> https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg07431.html

Series in 6.0.0 onward.
Comment 10 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-01-09 21:00:30 UTC
(In reply to John Helmert III from comment #9)
> (In reply to John Helmert III from comment #0)
> > CVE-2021-20203:
> > 
> > An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU
> > for versions up to v5.2.0. It may occur if a guest was to supply invalid
> > values for rx/tx queue size or other NIC parameters. A privileged guest user
> > may use this flaw to crash the QEMU process on the host resulting in DoS
> > scenario.
> > 
> > Looks like no fix yet.
> 
> Now being tracked at https://gitlab.com/qemu-project/qemu/-/issues/308.

Patch in 6.2.0: https://gitlab.com/qemu-project/qemu/-/commit/d05dcd94aee88728facafb993c7280547eb4d645

> (In reply to John Helmert III from comment #1)
> > A few others triggerable by guests.
> > 
> > CVE-2021-20255: infinite recursion in eepro100 i8255x device emulator
> > 
> > Possible patch:
> > https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html
> 
> Can't find where this was applied, nor an upstream issue.
> 
> > CVE-2021-20257: infinite loop in e1000 NIC emulator.
> > Possible patch:
> > https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg07428.html
> 
> In 6.0.0 onward.
>  
> > CVE-2021-3416: infinite loops in various NIC emulators.
> > Possible patch:
> > https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg07431.html
> 
> Series in 6.0.0 onward.
Comment 11 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-14 03:00:43 UTC
(In reply to John Helmert III from comment #9)
> (In reply to John Helmert III from comment #0)
> > CVE-2021-20203:
> > 
> > An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU
> > for versions up to v5.2.0. It may occur if a guest was to supply invalid
> > values for rx/tx queue size or other NIC parameters. A privileged guest user
> > may use this flaw to crash the QEMU process on the host resulting in DoS
> > scenario.
> > 
> > Looks like no fix yet.
> 
> Now being tracked at https://gitlab.com/qemu-project/qemu/-/issues/308.
> 
> (In reply to John Helmert III from comment #1)
> > A few others triggerable by guests.
> > 
> > CVE-2021-20255: infinite recursion in eepro100 i8255x device emulator
> > 
> > Possible patch:
> > https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html
> 
> Can't find where this was applied, nor an upstream issue.

I'll just pop this CVE into a different bug so we can proceed with the rest of the CVEs here.

> > CVE-2021-20257: infinite loop in e1000 NIC emulator.
> > Possible patch:
> > https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg07428.html
> 
> In 6.0.0 onward.
>  
> > CVE-2021-3416: infinite loops in various NIC emulators.
> > Possible patch:
> > https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg07431.html
> 
> Series in 6.0.0 onward.
Comment 12 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-14 04:42:23 UTC
GLSA request filed
Comment 13 Larry the Git Cow gentoo-dev 2022-08-14 16:10:00 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=fd3b0a54cba850267bd5f7ed0ac9f66f91aa44ac

commit fd3b0a54cba850267bd5f7ed0ac9f66f91aa44ac
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-14 16:09:07 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-08-14 16:09:43 +0000

    [ GLSA 202208-27 ] QEMU: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/733448
    Bug: https://bugs.gentoo.org/736605
    Bug: https://bugs.gentoo.org/773220
    Bug: https://bugs.gentoo.org/775713
    Bug: https://bugs.gentoo.org/780816
    Bug: https://bugs.gentoo.org/792624
    Bug: https://bugs.gentoo.org/807055
    Bug: https://bugs.gentoo.org/810544
    Bug: https://bugs.gentoo.org/820743
    Bug: https://bugs.gentoo.org/835607
    Bug: https://bugs.gentoo.org/839762
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 glsa-202208-27.xml | 85 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 85 insertions(+)
Comment 14 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-08-14 16:11:20 UTC
GLSA done, all done.