Headline
CVE-2021-3750: Fix DMA MMIO reentrancy issues (#556) · Issues · QEMU / QEMU · GitLab
A DMA reentrancy issue was found in the USB EHCI controller emulation of QEMU. EHCI does not verify if the Buffer Pointer overlaps with its MMIO region when it transfers the USB packets. Crafted content may be written to the controller’s registers and trigger undesirable actions (such as reset) while the device is still transferring packets. This can ultimately lead to a use-after-free issue. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition, or potentially execute arbitrary code within the context of the QEMU process on the host. This flaw affects QEMU versions before 7.0.0.
Fix DMA MMIO reentrancy issues
Goal
Find a generic way to fix the DMA reentrancy problem.
Technical details
DMA ring buffer might contains pointers to DMA MMIO region, and once the DMA is programmed it calls itself recursively.
Additional information
List of DMA reentrancy issues (usually found by fuzzer):
- #62 (AHCI)
- #84 (closed), #305 (closed), #552 (closed) (SCSI)
- #451 (closed) (SDHCI)
- #540 (xHCI)
- #541 (EHCI)
- #542 (closed) (HDA)
- #557 (pcnet)
- #782 (closed) (NVMe)
- eepro100
- #827 (virtio-blk)
Usually coredump backtrace includes multiple calls to access_with_adjusted_size() from the Memory API.
Edited Jan 18, 2022 by