Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 773220 (CVE-2021-20203, CVE-2021-20255, CVE-2021-20257, CVE-2021-3416) - app-emulation/qemu: privileged guest user can cause host DoS (CVE-2021-{3416,20203,20255,20257})
Summary: app-emulation/qemu: privileged guest user can cause host DoS (CVE-2021-{3416,...
Status: CONFIRMED
Alias: CVE-2021-20203, CVE-2021-20255, CVE-2021-20257, CVE-2021-3416
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugs.launchpad.net/qemu/+bug/...
Whiteboard: B3 [upstream]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-02-27 02:38 UTC by John Helmert III
Modified: 2021-10-17 19:51 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-02-27 02:38:51 UTC
CVE-2021-20203:

An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU for versions up to v5.2.0. It may occur if a guest was to supply invalid values for rx/tx queue size or other NIC parameters. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario.

Looks like no fix yet.
Comment 1 John Helmert III gentoo-dev Security 2021-02-27 04:00:11 UTC
A few others triggerable by guests.

CVE-2021-20255: infinite recursion in eepro100 i8255x device emulator

Possible patch: https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html

CVE-2021-20257: infinite loop in e1000 NIC emulator.
Possible patch: https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg07428.html

CVE-2021-3416: infinite loops in various NIC emulators.
Possible patch: https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg07431.html
Comment 2 Matthias Maier gentoo-dev 2021-04-04 19:35:28 UTC
The proposed patches are quite nontrivial. We have to wait for upstream to assess the situation.

One patch landed upstream so far:

commit 3de46e6fc489c52c9431a8a832ad8170a7569bd8
Author: Jason Wang <jasowang@redhat.com>
Date:   Wed Feb 24 13:45:28 2021 +0800

    e1000: fail early for evil descriptor
Comment 3 NATTkA bot gentoo-dev 2021-07-29 17:23:48 UTC Comment hidden (obsolete)
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:32:13 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 17:40:06 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 17:48:17 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev 2021-07-29 18:04:13 UTC Comment hidden (obsolete)
Comment 8 NATTkA bot gentoo-dev 2021-07-29 18:12:31 UTC
Package list is empty or all packages have requested keywords.
Comment 9 John Helmert III gentoo-dev Security 2021-10-17 19:51:27 UTC
(In reply to John Helmert III from comment #0)
> CVE-2021-20203:
> 
> An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU
> for versions up to v5.2.0. It may occur if a guest was to supply invalid
> values for rx/tx queue size or other NIC parameters. A privileged guest user
> may use this flaw to crash the QEMU process on the host resulting in DoS
> scenario.
> 
> Looks like no fix yet.

Now being tracked at https://gitlab.com/qemu-project/qemu/-/issues/308.

(In reply to John Helmert III from comment #1)
> A few others triggerable by guests.
> 
> CVE-2021-20255: infinite recursion in eepro100 i8255x device emulator
> 
> Possible patch:
> https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html

Can't find where this was applied, nor an upstream issue.

> CVE-2021-20257: infinite loop in e1000 NIC emulator.
> Possible patch:
> https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg07428.html

In 6.0.0 onward.
 
> CVE-2021-3416: infinite loops in various NIC emulators.
> Possible patch:
> https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg07431.html

Series in 6.0.0 onward.